SQS队列与跨账户Lambda触发器

huangapple go评论72阅读模式
英文:

SQS Queue with Cross-Account Lambda Trigger

问题

我正在尝试设置一个带有Lambda触发器的SQS队列,该触发器使用另一个AWS账户中的函数。

我不确定为什么在设置Lambda触发器时会出现以下错误:
SQS队列与跨账户Lambda触发器

我怀疑以下原因可能导致了这个错误:

  1. 我正在使用的角色(通过控制台访问和修改资源)可能没有权限设置Lambda触发器。这对我来说感觉很奇怪,但也有可能。
  2. 要么是SQS权限策略,要么是Lambda执行角色缺少此操作所需的权限。

有关更多信息,以下是这些策略:

SQS权限策略:

{
  "Version": "2008-10-17",
  "Id": "arn:aws:sqs:eu-west-1:111111111111:crossaccount-sqs/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "AllowedSQSPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::2222222222:role/service-role/test-print-role-vb8smvxi"
      },
      "Action": [
        "SQS:ReceiveMessage",
        "SQS:DeleteMessage",
        "SQS:GetQueueAttributes"
      ],
      "Resource": "arn:aws:sqs:eu-west-1:111111111111:sqs-lambda-demo"
    }
  ]
}

Lambda执行策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:ChangeMessageVisibility",
                "sqs:ReceiveMessage",
                "sqs:GetQueueAttributes",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:sqs:eu-west-1:111111111111:sqs-lambda-demo",
                "arn:aws:logs:eu-west-1:2222222222:*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:eu-west-1:2222222222:log-group:/aws/lambda/test-print:*"
        },
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateEventSourceMapping"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
英文:

I'm trying to setup an SQS Queue with a Lambda Trigger that uses a function in another AWS Account.

I'm not sure why I'm getting this error when I setup the lambda trigger:
SQS队列与跨账户Lambda触发器

I suspect it's due to the following:

  1. The role I'm using (accessing and modifying resource via the console) isn't allowed to setup the Lambda trigger. That feels odd to me, but maybe.
  2. Either the SQS Permissions Policy or Lambda Execution role is missing the permissions needed for this.

For more info here are those policies:

SQS Permission Policy:

{
  "Version": "2008-10-17",
  "Id": "arn:aws:sqs:eu-west-1:111111111111:crossaccount-sqs/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "AllowedSQSPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::2222222222:role/service-role/test-print-role-vb8smvxi"
      },
      "Action": [
        "SQS:ReceiveMessage",
        "SQS:DeleteMessage",
        "SQS:GetQueueAttributes"
      ],
      "Resource": "arn:aws:sqs:eu-west-1:111111111111:sqs-lambda-demo"
    }
  ]
}

Lambda Execution Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:ChangeMessageVisibility",
                "sqs:ReceiveMessage",
                "sqs:GetQueueAttributes",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:sqs:eu-west-1:111111111111:sqs-lambda-demo",
                "arn:aws:logs:eu-west-1:2222222222:*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:eu-west-1:2222222222:log-group:/aws/lambda/test-print:*"
        },
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateEventSourceMapping"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

答案1

得分: 0

以下是翻译好的部分:

问题的解决方法,如果有人需要...

问题不在于策略。策略是正确的。问题在于尝试执行操作的位置。在AWS内,Lambda触发器的工作方式有点奇怪。尽管您可以在其他位置设置触发器,但触发器是Lambda API的扩展,位于EventSourceMapping下。更重要的是,触发器是Lambda对象的扩展,而不是SQS队列的扩展。您可以在Lambda以及其他位置设置触发器。
我认为发生了以下情况:

帐户A = 托管Lambda
帐户B = 托管SQS

帐户A的Lambda执行角色已设置,以允许Lambda访问帐户B的SQS队列。

帐户B的SQS队列已设置,以允许帐户A的Lambda执行角色允许Lambda访问。我在帐户B中的管理员角色尝试创建使用我的SQS队列和帐户A Lambda的EventSourceMapping配置。由于没有建立我的角色访问其他帐户资源的内容,因此会发生错误。SQS没有角色,它们具有基于资源的策略。它们只能使用其资源启用事物,但无法使用其他资源启用事物。我的角色在帐户B内受到检查,但在帐户A内不是。因此,我们遇到了权限问题。

解决方法:

在帐户A中,使用此帐户中的管理员角色创建EventSourceMapping配置,以使我的Lambda能够使用帐户B的SQS作为源(转到控制台中的Lambda并在那里添加触发器)。

这已经有效。刚刚测试过,现在可以正常工作。
AWS文档在这方面可能需要更清晰,但这是一个明确的学习经验。

英文:

The solution in case anyone is after it...

The issue is not the policies. The policies are fine. The issue is the location trying to do it. Lambda Triggers are weird within AWS. Despite being something you can setup in other locations, the trigger is an extension of the Lambda API, under EventSourceMapping. More than that the trigger is an extension of the Lambda object, not the SQS queue. You can setup triggers at the Lambda as well as other locations.
Here's what I think is happening:

Account A = Hosts Lambda
Account B = Hosts SQS

Account A Lambda Execution Role is setup to allow the lambda to access the Account B SQS Queue.

The Account B SQS Queue is setup to allow the Account A Lambda Execution Role to allow the Lambda access. My Admin Role in Account B tries to create an EventSourceMapping config that uses my SQS Queue and the Account A Lambda. Because there is nothing establishing my role access to another accounts resources the error occurs. SQS don't have roles, they have resource based policies. They can only enable things with their resource, but they can't enable things with other resources. My role is being checked and within Account B it's admin, but not in Account A. So we get the permission issue.

The solution:

Account A, use the admin role in this account to create the EventSourceMapping config that enables my lambda to use Account B SQS as the source (Go to the lambda in the console and add the trigger there.).

This has worked. Just tested it and it works fine now.
AWS Docs could be a lot clearer in this regard, but definite learning experience from this one.

huangapple
  • 本文由 发表于 2023年7月3日 16:20:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/76603007.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定