我对SNS主题使用了以下策略,以便在Lambda中以帐户号222222222222订阅此SNS。我还通过类似的策略访问了我的lambda,并将其添加到Lambda的执行角色中。
得到以下错误:
创建触发器时发生错误:用户: arn:aws:sts :: 222222222222:assumed-role / TSI_Base_FullAccess / AXXXXXXXX 无权执行:SNS:在资源上订阅: arn:aws:sns:eu-west-1:111111111111:Story-5555(Service:AmazonSNS; 状态码:403;错误代码:AuthorizationError;要求编号: 1321942c-25c4-52a1-bacb-c2e9bd641067)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1582008007178",
"Action": [
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS"
}
}
}
]
}
答案 0 :(得分:0)
根据AWS Documentation,您应该在条件之外另外指定原理。
因此您的政策应类似于
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1582008007178",
"Action": [
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
"Principal": {
"AWS": ["222222222222"]
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS",
"arn:aws:sts::222222222222:assumed-role:TSI_Base_FullAccess:AXXXXXXXX"
]
}
}
}
]
}
确保在策略的条件部分中指定哪个ARN的方法是从函数中调用(并打印)get-caller-identity API。