无法以编程方式授予对 SQS 队列的 SNS 主题权限
Unable to give SNS topic permission on a SQS queue programmatically
我尝试启用 SNS 主题以使用 .NET 客户端将消息发送到给定的 SQS 队列:
var policy = new Policy()
{
Statements = new List<Statement>() {
new Statement(Statement.StatementEffect.Allow) {
Principals = new List<Principal>() { Principal.AllUsers },
Actions = new List<ActionIdentifier>() { SQSActionIdentifiers.SendMessage },
Conditions = new List<Condition>
{
ConditionFactory.NewCondition(ConditionFactory.ArnComparisonType.ArnEquals, "aws:SourceArn", topicArn)
}
}
}
};
var request = new SetQueueAttributesRequest()
{
QueueUrl = queueUrl,
Attributes = new Dictionary<string, string>
{
{ QueueAttributeName.Policy, policy.ToJson()}
}
};
sqs.SetQueueAttributes(request);
这会生成一个无效的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<sid>",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sqs:SendMessage",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-west-2:<id>:testTopic2"
}
}
}
]
}
但是,如果我删除此策略并手动添加它,它会起作用,并且看起来几乎相同,但有一些差异:
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:us-west-2:<id>:testQueue2/SQSDefaultPolicy",
"Statement": [
{
"Sid": "<sid2>",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:us-west-2:<id>:testQueue2",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-west-2:<id>:testTopic2"
}
}
}
]
}
程序化的:
- 缺少
Id.
- 说
"Principal" : "{ AWS: "*"} 而不是 "Principal" : "*"。
我尝试将 Id 和主体设置为自定义的,但我只收到 HTTP 400。
使用 .NET 客户端授予 SNS 主题权限以将消息发送到 SQS 队列的正确方法是什么?
您的代码生成的 JSON 中缺少的最重要部分是
"Resource": "arn:aws:sqs:us-west-2:<id>:testQueue2"
如果不指定资源,IAM 无法判断您授予访问权限的资源。
然后你可以像这样添加一个资源对象:
new Statement(Statement.StatementEffect.Allow) {
Principals = new List<Principal>() { Principal.AllUsers },
Resources = new List<Principal>() { new Resource("arn:aws:sqs:us-west-2:<id>:testQueue2") }
....
(我不是 C# 专业人士,所以语法可能有误,但你已经明白了。)
我尝试启用 SNS 主题以使用 .NET 客户端将消息发送到给定的 SQS 队列:
var policy = new Policy()
{
Statements = new List<Statement>() {
new Statement(Statement.StatementEffect.Allow) {
Principals = new List<Principal>() { Principal.AllUsers },
Actions = new List<ActionIdentifier>() { SQSActionIdentifiers.SendMessage },
Conditions = new List<Condition>
{
ConditionFactory.NewCondition(ConditionFactory.ArnComparisonType.ArnEquals, "aws:SourceArn", topicArn)
}
}
}
};
var request = new SetQueueAttributesRequest()
{
QueueUrl = queueUrl,
Attributes = new Dictionary<string, string>
{
{ QueueAttributeName.Policy, policy.ToJson()}
}
};
sqs.SetQueueAttributes(request);
这会生成一个无效的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<sid>",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sqs:SendMessage",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-west-2:<id>:testTopic2"
}
}
}
]
}
但是,如果我删除此策略并手动添加它,它会起作用,并且看起来几乎相同,但有一些差异:
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:us-west-2:<id>:testQueue2/SQSDefaultPolicy",
"Statement": [
{
"Sid": "<sid2>",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:us-west-2:<id>:testQueue2",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-west-2:<id>:testTopic2"
}
}
}
]
}
程序化的:
- 缺少
Id. - 说
"Principal" : "{ AWS: "*"}而不是"Principal" : "*"。
我尝试将 Id 和主体设置为自定义的,但我只收到 HTTP 400。
使用 .NET 客户端授予 SNS 主题权限以将消息发送到 SQS 队列的正确方法是什么?
您的代码生成的 JSON 中缺少的最重要部分是
"Resource": "arn:aws:sqs:us-west-2:<id>:testQueue2"
如果不指定资源,IAM 无法判断您授予访问权限的资源。
然后你可以像这样添加一个资源对象:
new Statement(Statement.StatementEffect.Allow) {
Principals = new List<Principal>() { Principal.AllUsers },
Resources = new List<Principal>() { new Resource("arn:aws:sqs:us-west-2:<id>:testQueue2") }
....
(我不是 C# 专业人士,所以语法可能有误,但你已经明白了。)