我似乎无法弄清楚是什么原因导致了此失败。我提到了一个article。谁能告诉我什么可能导致此错误?
AllowSNS2SQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues: [ !Ref SQSQueue ]
PolicyDocument:
Version: "2012-10-17"
Id: SQSPolicy
Statement:
- Sid: Allow-SNS-SendMessage
Effect: Allow
Principal:
AWS:
- 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId:}:cluster/foo'
Action:
- 'sqs:SendMessage'
- 'sqs:ReceiveMessage'
Resource: !GetAtt [SQSQueue, Arn]
错误消息:
Invalid value for parameter Policy. (Service: AmazonSQS; Status Code: 400, Error Code: InvalidAttributeValue...
答案 0 :(得分:1)
这应该解决它:
AllowSNS2SQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues: [ !Ref SQSQueue ]
PolicyDocument:
Version: "2012-10-17"
Id: SQSPolicy
Statement:
- Sid: Allow-SNS-SendMessage
Effect: Allow
Principal:
AWS:'arn:aws:ecs:${AWS::Region}:${AWS::AccountId:}:cluster/foo'
Action:
- 'sqs:SendMessage'
- 'sqs:ReceiveMessage'
Resource: !GetAtt [SQSQueue, Arn]
答案 1 :(得分:0)
不确定您是否已解决问题,但这也许会对其他人有所帮助。
我遇到了这个问题,并且通过允许任何用户访问资源来解决了这个问题。我不知道为什么,但是当指定Principal时,我无法使Json策略正常工作吗?除了Principal: "*" ...
即使您允许所有人访问资源,您仍然可以使用Condition来限制对资源的访问。
AllowSNS2SQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues: [ !Ref SQSQueue ]
PolicyDocument:
Version: "2012-10-17"
Id: SQSPolicy
Statement:
- Sid: Allow-SNS-SendMessage
Effect: Allow
Principal: '*'
Action:
- 'sqs:SendMessage'
- 'sqs:ReceiveMessage'
Resource: !GetAtt [SQSQueue, Arn]
Condition:
ArnEquals:
aws:SourceArn: !GetAtt YourEcsClusterResource.Arn
以下是一些文档对我的帮助:https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html
答案 2 :(得分:-1)
我的第一个愚蠢错误:我写了
"Principal": <my ARN>
代替
"Principal": {
"AWS": <my ARN>
}
第二个错误,不是那么愚蠢:我尝试使用lambda arn作为主体,但不得不使用lambda role arn。因此,对于原始问题,我建议不要使用ecs arn,而要使用ecs角色arn。