我创建了一个SQS队列并在“权限”标签下添加了策略,仅允许我的帐户用户配置配置通知
政策文件
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:us-east-1:111111111111:sqsqueue/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid111111111111",
"Effect": "Allow",
"Principal": {
"AWS": "111111111111"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:111111111111:queue"
}
]
导航到S3并尝试为上述队列配置事件通知,它将引发错误
我做错什么了吗?有人可以帮我吗无法验证以下目标配置。目标队列上的权限不允许S3发布 来自此存储桶的通知。 (arn:aws:sqs:us-east-1:111111111111:queue)*
答案 0 :(得分:4)
我能够通过添加“ Service”解决此问题:“ s3.amazonaws.com” 在Principal标签中。
此处有政策文件
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:us-east-1:111111111111:sqsqueue/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid111111111111",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:111111111111:queue"
}
]
答案 1 :(得分:0)
此模板文件创建一个存储桶,SQS队列和一个将两者连接的策略:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
IncomingBucketName:
Type: 'String'
Description: 'Incoming Bucket Name'
Default: 'some-bucket-name-here'
Resources:
IncomingFileQueue:
Type: 'AWS::SQS::Queue'
Properties: {}
SQSQueuePolicy:
Type: 'AWS::SQS::QueuePolicy'
Properties:
PolicyDocument:
Id: 'MyQueuePolicy'
Version: '2012-10-17'
Statement:
- Sid: 'Statement-id'
Effect: 'Allow'
Principal:
AWS: "*"
Action: 'sqs:SendMessage'
Resource:
Fn::GetAtt: [ IncomingFileQueue, Arn ]
Queues:
- Ref: IncomingFileQueue
IncomingFileBucket:
Type: 'AWS::S3::Bucket'
DependsOn:
- SQSQueuePolicy
- IncomingFileQueue
Properties:
AccessControl: BucketOwnerFullControl
BucketName:
Ref: IncomingBucketName
NotificationConfiguration:
QueueConfigurations:
- Event:
s3:ObjectCreated:Put
Queue:
Fn::GetAtt: [ IncomingFileQueue, Arn ]
我遇到了同样的问题,但是使用此页面来确定如何连接这三种资源以成功部署堆栈: https://aws.amazon.com/premiumsupport/knowledge-center/unable-validate-destination-s3/
由于上面链接中建议的表格不适用于SQS,因此我仍在研究“政策条件”。在这种情况下,上述模板是不安全的,不应在生产中使用,因为它允许任何人将消息添加到队列中。
一旦发现问题,我将更新此答案...