访问资源 https://sqs.us-east-1.amazonaws.com/ 被拒绝
Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied
有很多人提到这个错误,但是,
下面是为lambda(AWS::Serverless::Function)创建的执行角色:
{
"permissionsBoundary": {
"permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
"permissionsBoundaryType": "Policy"
},
"roleName": “some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
},
"name": "AWSLambdaBasicExecutionRole",
"id": "ANDDDDDC42545SKXIK",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
],
"trustedEntities": [
"lambda.amazonaws.com"
]
}
其中 some-permission-boundary 是
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111222333444:log-group:*"
],
"Effect": "Allow",
},
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow",
}
]
}
lambda 执行以下操作:
async function sendToQueue(message) {
const params = {
MessageBody: JSON.stringify(message),
QueueUrl: process.env.queueUrl
};
return new Promise((resolve, reject) =>
sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
);
}
出现错误:
"errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
"errorType": "AccessDenied",
我们在 some-permission-boundary
中对跨帐户的任何队列进行了 sqs:* 操作
为什么 lambda 无法将消息发送到队列?
权限边界是一项高级功能,用于使用托管策略设置基于身份的策略可以授予 IAM 实体的最大权限。
实体的权限边界允许它仅执行其基于身份的策略和权限边界。
允许的操作
来源:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
您确实在您的权限边界中包含了 sqs:*,但是您没有在您的 lambda 执行角色的策略中包含任何与 sqs 相关的操作。
您应该将具有 sqs 权限的策略附加到您的 lambda 执行角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow",
}
]
}
我有同样的问题,但是无服务器固件。在控制台中抛出这个错误:
`API: sqs:CreateQueue Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.`
我在无服务器代理的自定义角色中添加了权限。我使用这个代理的权限(我希望有人能帮助你)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"apigateway:*",
"cloudformation:CancelUpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:EstimateTemplateCost",
"cloudformation:ExecuteChangeSet",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:UpdateStack",
"cloudformation:UpdateTerminationProtection",
"cloudformation:ValidateTemplate",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:UpdateTimeToLive",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteInternetGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:Describe*",
"ec2:DetachInternetGateway",
"ec2:ModifyVpcAttribute",
"events:DeleteRule",
"events:DescribeRule",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iot:CreateTopicRule",
"iot:DeleteTopicRule",
"iot:DisableTopicRule",
"iot:EnableTopicRule",
"iot:ReplaceTopicRule",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"lambda:*",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:PutSubscriptionFilter",
"logs:CreateLogStream",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutObject",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:SetSubscriptionAttributes",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:CreateQueue",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"states:CreateStateMachine",
"states:DeleteStateMachine"
],
"Effect": "Allow",
"Resource": "*"
}
]}
此权限(无 sqs*)是从 Serverless FW 文档中推荐的
有很多人提到这个错误,但是,
下面是为lambda(AWS::Serverless::Function)创建的执行角色:
{
"permissionsBoundary": {
"permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
"permissionsBoundaryType": "Policy"
},
"roleName": “some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
},
"name": "AWSLambdaBasicExecutionRole",
"id": "ANDDDDDC42545SKXIK",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
],
"trustedEntities": [
"lambda.amazonaws.com"
]
}
其中 some-permission-boundary 是
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111222333444:log-group:*"
],
"Effect": "Allow",
},
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow",
}
]
}
lambda 执行以下操作:
async function sendToQueue(message) {
const params = {
MessageBody: JSON.stringify(message),
QueueUrl: process.env.queueUrl
};
return new Promise((resolve, reject) =>
sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
);
}
出现错误:
"errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
"errorType": "AccessDenied",
我们在 some-permission-boundary
sqs:* 操作
为什么 lambda 无法将消息发送到队列?
权限边界是一项高级功能,用于使用托管策略设置基于身份的策略可以授予 IAM 实体的最大权限。
实体的权限边界允许它仅执行其基于身份的策略和权限边界。
允许的操作来源:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
您确实在您的权限边界中包含了 sqs:*,但是您没有在您的 lambda 执行角色的策略中包含任何与 sqs 相关的操作。
您应该将具有 sqs 权限的策略附加到您的 lambda 执行角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow",
}
]
}
我有同样的问题,但是无服务器固件。在控制台中抛出这个错误:
`API: sqs:CreateQueue Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.`
我在无服务器代理的自定义角色中添加了权限。我使用这个代理的权限(我希望有人能帮助你)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"apigateway:*",
"cloudformation:CancelUpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:EstimateTemplateCost",
"cloudformation:ExecuteChangeSet",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:UpdateStack",
"cloudformation:UpdateTerminationProtection",
"cloudformation:ValidateTemplate",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:UpdateTimeToLive",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteInternetGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:Describe*",
"ec2:DetachInternetGateway",
"ec2:ModifyVpcAttribute",
"events:DeleteRule",
"events:DescribeRule",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iot:CreateTopicRule",
"iot:DeleteTopicRule",
"iot:DisableTopicRule",
"iot:EnableTopicRule",
"iot:ReplaceTopicRule",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"lambda:*",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:PutLogEvents",
"logs:PutSubscriptionFilter",
"logs:CreateLogStream",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutObject",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:SetSubscriptionAttributes",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:CreateQueue",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"states:CreateStateMachine",
"states:DeleteStateMachine"
],
"Effect": "Allow",
"Resource": "*"
}
]}
此权限(无 sqs*)是从 Serverless FW 文档中推荐的