SNS主题权限的S3设置事件

时间:2016-06-29 01:25:26

标签: amazon-s3 amazon-sns

我正在尝试在S3存储桶上创建一个事件,这样每次创建一个新对象时,都会向SNS发送一条消息。

我做了一些研究,并将“ArnLike”:{“aws:SourceArn”:“arn:aws:s3::testBucket”}添加到目标主题的政策中。 testBucket是存储桶的名称

但是当我尝试创建事件时,它仍然显示“目标主题上的权限不允许S3发布来自此存储桶的通知”

有什么想法吗?非常感谢

6 个答案:

答案 0 :(得分:16)

解决问题,在添加条件行之前

"ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:testBucket"
        }

在默认语句中。 结果我必须创建一个包含发布操作的新语句。

{
      "Sid": "publish-from-s3",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:ap-southeast-2:XXXXXXXXXXXXXX:testTopicforS3",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:testBucket"
        }
      }
    }

答案 1 :(得分:0)

我认为您需要允许S3存储桶拥有者发布到您的主题。我通常首先通过允许每个人发布到主题然后稍后添加更多选择性策略详细信息来测试功能。

如果您在AWS控制台中选择了SNS主题,然后选择其他主题操作,并选择编辑主题策略,那么您将看到基本视图选项卡。在“#34;允许这些用户向此主题发布消息"”部分下,选择“所有人”并保存。接下来将事件添加到S3并验证基本事件发布是否有效。然后,您可以稍后使用“高级视图”锁定详细的策略更改。

答案 2 :(得分:0)

是的,在创建SNS之后,对其进行修改以添加一条语句(在默认语句之后):

{
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:Receive",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "your sns arn"
    },
    {
      "Sid": "s3",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "your sns arn"
    }
  ]
}

答案 3 :(得分:0)

"Service": "s3.awsamazon.com"放在Principal内,而不是添加新语句。 看起来像这样:

  Statement: [
    {
      "Sid": "publish-from-s3",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com",  # ADD THIS!  
        "AWS": <AWS_Account_Name_for_Access>
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:ap-southeast-2:XXXXXXXXXXXXXX:testTopicforS3",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:s3:*:*:*"  
        }
      }
    }
  ]

答案 4 :(得分:0)

    "Principal": 
    {
       "Service": "s3.amazonaws.com"
    }

&

 "ArnLike": 
          {
              "aws:SourceArn": "arn:aws:s3:*:*:Bucket_name"
          }

很重要。

答案 5 :(得分:0)

如果您希望帐户中的任何存储桶都能够发布或订阅主题(是的,这是一个更通用的解决方案,因此安全性较低,但如果您在尝试允许存储桶时遇到循环依赖问题为了能够发布到主题并将订阅从存储桶添加到主题,这将有所帮助):

            {
                "Id": "your-topic-policy-id",
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "statement-id",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "s3.amazonaws.com"
                        },
                        "Action": ["sns:Publish", "sns:Subscribe"],
                        "Resource": "your-sns-topic-arn",
                        "Condition": {
                            "StringEquals": {
                                "AWS:SourceAccount": "account-id"
                            }
                        }
                    }
                ]
            }
相关问题
最新问题