这个SQS队列策略文档有什么问题?

huangapple go评论72阅读模式
英文:

What is wrong with this SQS Queue Policy Document

问题

我正在尝试创建一个带有访问权限的SQS队列,允许另一个AWS账户中的角色通过cloudformation使用此队列作为Lambda触发器。

我收到的错误是:

> 参数策略的值无效。(服务:AmazonSQS;状态码:400;错误代码:InvalidAttributeValue;请求ID:aa188680-cebc-5a3f-b3c1-db9ef554ae64;代理:null)

发生问题的资源是:
```yaml
  QueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties: 
      PolicyDocument: 
        Statement:
        - Sid: EnableLambda
          Action:
          - sqs:DeleteMessage
          - sqs:GetQueueAttributes
          - sqs:ReceiveMessage
          Effect: Allow
          Resource: !GetAtt Queue.Arn
          Principal:
            AWS: !Sub arn:aws:iam::${LambdaAccountId}:role/${LambdaRoleName}
      Queues: 
        - !Ref Queue

我一直在为此苦苦挣扎,我做错了什么?


<details>
<summary>英文:</summary>

I&#39;m trying to create an SQS Queue with Access Permissions that allow a role in another AWS account the ability to use this Queue with a Lambda Trigger via cloudformation. 

The error I&#39;m getting is:

&gt; Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue; Request ID: aa188680-cebc-5a3f-b3c1-db9ef554ae64; Proxy: null)

The resource the issue is occurring on:

QueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Sid: EnableLambda
Action:
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:ReceiveMessage
Effect: Allow
Resource: !GetAtt Queue.Arn
Principal:
AWS: !Sub arn:aws:iam::${LambdaAccountId}:role/${LambdaRoleName}
Queues:
- !Ref Queue


I&#39;ve been banging my head against a brick wall on this. What am I doing wrong?


</details>


# 答案1
**得分**: 0

The value of the attribute "AWS" accepts a list of values.

The syntax should be:

QueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
        PolicyDocument:
            Statement:
                - Sid: EnableLambda
                  Action:
                      - sqs:DeleteMessage
                      - sqs:GetQueueAttributes
                      - sqs:ReceiveMessage
                  Effect: Allow
                  Resource: !GetAtt Queue.Arn
                  Principal:
                      AWS:
                          - !Sub arn:aws:iam::${LambdaAccountId}:role/${LambdaRoleName}
          Queues:
              - !Ref Queue

<details>
<summary>英文:</summary>

The value of the attribute &quot;AWS&quot; accepts a list of values. 

The syntax should be:

    QueuePolicy:
        Type: AWS::SQS::QueuePolicy
        Properties: 
          PolicyDocument: 
            Statement:
             - Sid: EnableLambda
               Action:
                 - sqs:DeleteMessage
                 - sqs:GetQueueAttributes
                 - sqs:ReceiveMessage
              Effect: Allow
              Resource: !GetAtt Queue.Arn
              Principal:
                AWS: 
                 - !Sub arn:aws:iam::${LambdaAccountId}:role/${LambdaRoleName}
          Queues: 
            - !Ref Queue



</details>



# 答案2
**得分**: 0

问题的原因是在我创建这个权限文档之前,Lambda 角色需要存在。看起来 AWS 在接受文档之前会检查资源是否存在。我成功地将角色替换为已存在的角色,然后它正常工作了。然后,我改变了我的 CloudFormation(CFN)创建顺序,以便角色首先存在,这样就可以正常工作了。

<details>
<summary>英文:</summary>

The issue turned out to be that the Lambda role needed to exist before I created this permissions doc. It looks like AWS does do some sort of checking if the resource exists prior to accepting the doc. I was able to swap out the role for one that did exist and it worked fine. I then changed the order my cfn was creating this so that the role would exist first and it worked. 

</details>



huangapple
  • 本文由 发表于 2023年7月4日 23:35:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/76614116.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定