英文:
What is wrong with this SQS Queue Policy Document
问题
我正在尝试创建一个带有访问权限的SQS队列,允许另一个AWS账户中的角色通过cloudformation使用此队列作为Lambda触发器。
我收到的错误是:
> 参数策略的值无效。(服务:AmazonSQS;状态码:400;错误代码:InvalidAttributeValue;请求ID:aa188680-cebc-5a3f-b3c1-db9ef554ae64;代理:null)
发生问题的资源是:
```yaml
QueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Sid: EnableLambda
Action:
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:ReceiveMessage
Effect: Allow
Resource: !GetAtt Queue.Arn
Principal:
AWS: !Sub arn:aws:iam::${LambdaAccountId}:role/${LambdaRoleName}
Queues:
- !Ref Queue
我一直在为此苦苦挣扎,我做错了什么?
<details>
<summary>英文:</summary>
I'm trying to create an SQS Queue with Access Permissions that allow a role in another AWS account the ability to use this Queue with a Lambda Trigger via cloudformation.
The error I'm getting is:
> Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue; Request ID: aa188680-cebc-5a3f-b3c1-db9ef554ae64; Proxy: null)
The resource the issue is occurring on:
QueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Sid: EnableLambda
Action:
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:ReceiveMessage
Effect: Allow
Resource: !GetAtt Queue.Arn
Principal:
AWS: !Sub arn:aws:iam::${LambdaAccountId}:role/${LambdaRoleName}
Queues:
- !Ref Queue
I've been banging my head against a brick wall on this. What am I doing wrong?
</details>
# 答案1
**得分**: 0
The value of the attribute "AWS" accepts a list of values.
The syntax should be:
QueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Sid: EnableLambda
Action:
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:ReceiveMessage
Effect: Allow
Resource: !GetAtt Queue.Arn
Principal:
AWS:
- !Sub arn:aws:iam::${LambdaAccountId}:role/${LambdaRoleName}
Queues:
- !Ref Queue
<details>
<summary>英文:</summary>
The value of the attribute "AWS" accepts a list of values.
The syntax should be:
QueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Sid: EnableLambda
Action:
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:ReceiveMessage
Effect: Allow
Resource: !GetAtt Queue.Arn
Principal:
AWS:
- !Sub arn:aws:iam::${LambdaAccountId}:role/${LambdaRoleName}
Queues:
- !Ref Queue
</details>
# 答案2
**得分**: 0
问题的原因是在我创建这个权限文档之前,Lambda 角色需要存在。看起来 AWS 在接受文档之前会检查资源是否存在。我成功地将角色替换为已存在的角色,然后它正常工作了。然后,我改变了我的 CloudFormation(CFN)创建顺序,以便角色首先存在,这样就可以正常工作了。
<details>
<summary>英文:</summary>
The issue turned out to be that the Lambda role needed to exist before I created this permissions doc. It looks like AWS does do some sort of checking if the resource exists prior to accepting the doc. I was able to swap out the role for one that did exist and it worked fine. I then changed the order my cfn was creating this so that the role would exist first and it worked.
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论