为什么这个 SQSQueuePolicy 在 AWS CloudFormation 中创建失败?
Why does this SQSQueuePolicy fail to create in AWS CloudFormation?
我创建了以下 CloudFormation 模板:
AWSTemplateFormatVersion: 2010-09-09
Description: Creates all resources necessary to send SES emails & track bounces/complaints through AWS
Resources:
IAMUser:
Type: 'AWS::IAM::User'
Properties:
UserName: iam-ses-sqs
SQSQueue:
Type: 'AWS::SQS::Queue'
Properties:
QueueName: ses-queue
SNSTopic:
Type: 'AWS::SNS::Topic'
Properties:
TopicName: sns-notifications
IAMUserPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: IAM_Send_SES_Email
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'SES:SendEmail'
- 'SES:SendRawEmail'
Resource: 'arn:aws:ses:*:*:identity/*'
Users:
- !Ref IAMUser
SQSQueuePolicy:
Type: 'AWS::SQS::QueuePolicy'
Properties:
Queues:
- !Ref SQSQueue
PolicyDocument:
Statement:
- Action:
- 'SQS:ReceiveMessage'
- 'SQS:DeleteMessage'
- 'SQS:GetQueueAttributes'
Effect: Allow
Resource: !Ref SQSQueue
Principal:
AWS:
- !Ref IAMUser
SNSTopicSubscription:
Type: 'AWS::SNS::Subscription'
Properties:
Protocol: SQS
Endpoint: !GetAtt
- SQSQueue
- Arn
TopicArn: !Ref SNSTopic
我想允许 IAMUser 对 SQSQueue 资源执行 SQS ReceiveMessage、DeleteMessage 和 GetQueueAttributes 操作。 SQSQueue 也应该订阅 SNSTopic。
在 CloudFormation 中使用此模板创建堆栈时,SQSQueue、SNSTopic、SNSTopicSubscription、IAMUser 和 IAMUserPolicy 都按此顺序毫无问题地创建。但是,SQSQueuePolicy 无法创建并生成错误消息:
Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue; Request ID: {request id})
为什么会失败,我应该如何修改模板以确保成功创建所有资源及其关联的 policies/subscriptions?
以下将return排队URL,而不是ARN:
Resource: !Ref SQSQueue
但您需要在策略中使用queue ARN:
Resource: !GetAtt SQSQueue.Arn
我在您的 CloudFormation 模板中发现了两个问题。
第一个,如 Marcin 所说,资源引用必须是 Queue ARN 而不是 Queue URL。
Resource: !GetAtt SQSQueue.Arn
第二个是您的 AWS 参考与您的 IAM 用户有关,但它必须是账户 ID。
Principal:
AWS:
- !Ref 'AWS::AccountId'
也就是说,我能够使用此 CloudFormation 模板在我的帐户中成功创建 CloudFormation 堆栈:
AWSTemplateFormatVersion: 2010-09-09
Description: Creates all resources necessary to send SES emails & track bounces/complaints through AWS
Resources:
IAMUser:
Type: 'AWS::IAM::User'
Properties:
UserName: iam-ses-sqs
SQSQueue:
Type: 'AWS::SQS::Queue'
Properties:
QueueName: ses-queue
SQSQueuePolicy:
Type: 'AWS::SQS::QueuePolicy'
Properties:
Queues:
- !Ref SQSQueue
PolicyDocument:
Statement:
- Action:
- 'SQS:ReceiveMessage'
- 'SQS:DeleteMessage'
- 'SQS:GetQueueAttributes'
Effect: Allow
Resource: !GetAtt SQSQueue.Arn
Principal:
AWS:
- !Ref 'AWS::AccountId'
我创建了以下 CloudFormation 模板:
AWSTemplateFormatVersion: 2010-09-09
Description: Creates all resources necessary to send SES emails & track bounces/complaints through AWS
Resources:
IAMUser:
Type: 'AWS::IAM::User'
Properties:
UserName: iam-ses-sqs
SQSQueue:
Type: 'AWS::SQS::Queue'
Properties:
QueueName: ses-queue
SNSTopic:
Type: 'AWS::SNS::Topic'
Properties:
TopicName: sns-notifications
IAMUserPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: IAM_Send_SES_Email
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'SES:SendEmail'
- 'SES:SendRawEmail'
Resource: 'arn:aws:ses:*:*:identity/*'
Users:
- !Ref IAMUser
SQSQueuePolicy:
Type: 'AWS::SQS::QueuePolicy'
Properties:
Queues:
- !Ref SQSQueue
PolicyDocument:
Statement:
- Action:
- 'SQS:ReceiveMessage'
- 'SQS:DeleteMessage'
- 'SQS:GetQueueAttributes'
Effect: Allow
Resource: !Ref SQSQueue
Principal:
AWS:
- !Ref IAMUser
SNSTopicSubscription:
Type: 'AWS::SNS::Subscription'
Properties:
Protocol: SQS
Endpoint: !GetAtt
- SQSQueue
- Arn
TopicArn: !Ref SNSTopic
我想允许 IAMUser 对 SQSQueue 资源执行 SQS ReceiveMessage、DeleteMessage 和 GetQueueAttributes 操作。 SQSQueue 也应该订阅 SNSTopic。
在 CloudFormation 中使用此模板创建堆栈时,SQSQueue、SNSTopic、SNSTopicSubscription、IAMUser 和 IAMUserPolicy 都按此顺序毫无问题地创建。但是,SQSQueuePolicy 无法创建并生成错误消息:
Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue; Request ID: {request id})
为什么会失败,我应该如何修改模板以确保成功创建所有资源及其关联的 policies/subscriptions?
以下将return排队URL,而不是ARN:
Resource: !Ref SQSQueue
但您需要在策略中使用queue ARN:
Resource: !GetAtt SQSQueue.Arn
我在您的 CloudFormation 模板中发现了两个问题。
第一个,如 Marcin 所说,资源引用必须是 Queue ARN 而不是 Queue URL。
Resource: !GetAtt SQSQueue.Arn
第二个是您的 AWS 参考与您的 IAM 用户有关,但它必须是账户 ID。
Principal:
AWS:
- !Ref 'AWS::AccountId'
也就是说,我能够使用此 CloudFormation 模板在我的帐户中成功创建 CloudFormation 堆栈:
AWSTemplateFormatVersion: 2010-09-09
Description: Creates all resources necessary to send SES emails & track bounces/complaints through AWS
Resources:
IAMUser:
Type: 'AWS::IAM::User'
Properties:
UserName: iam-ses-sqs
SQSQueue:
Type: 'AWS::SQS::Queue'
Properties:
QueueName: ses-queue
SQSQueuePolicy:
Type: 'AWS::SQS::QueuePolicy'
Properties:
Queues:
- !Ref SQSQueue
PolicyDocument:
Statement:
- Action:
- 'SQS:ReceiveMessage'
- 'SQS:DeleteMessage'
- 'SQS:GetQueueAttributes'
Effect: Allow
Resource: !GetAtt SQSQueue.Arn
Principal:
AWS:
- !Ref 'AWS::AccountId'