ove*_*nge 5 amazon-sqs amazon-web-services amazon-iam aws-lambda
这个错误有很多参考,但是,
下面是为 lambda( AWS::Serverless::Function)创建的执行角色:
{
"permissionsBoundary": {
"permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
"permissionsBoundaryType": "Policy"
},
"roleName": “some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
},
"name": "AWSLambdaBasicExecutionRole",
"id": "ANDDDDDC42545SKXIK",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
],
"trustedEntities": [
"lambda.amazonaws.com"
]
}
这里some-permission-boundary是
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111222333444:log-group:*"
],
"Effect": "Allow",
},
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow",
}
]
}
lambda 执行以下操作:
async function sendToQueue(message) {
const params = {
MessageBody: JSON.stringify(message),
QueueUrl: process.env.queueUrl
};
return new Promise((resolve, reject) =>
sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
);
}
这给出了错误:
"errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
"errorType": "AccessDenied",
我们对sqs:*跨帐户的任何队列进行了操作some-permission-boundary
为什么 lambda 无法将消息发送到队列?
权限边界是一项高级功能,用于使用托管策略设置基于身份的策略可以授予 IAM 实体的最大权限。
实体的权限边界仅允许其执行其基于身份的策略及其权限边界所允许的操作。
来源:https : //docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
您确实在权限边界中包含了 sqs:*,但您没有在 lambda 执行角色的策略中包含任何与 sqs 相关的操作。
您应该将具有 sqs 权限的策略附加到您的 lambda 执行角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow",
}
]
}
| 归档时间: |
|
| 查看次数: |
9866 次 |
| 最近记录: |