AWS Video Rekognition 未将结果发布到 SNS 主题

AWS Video Rekognition is not publishing results to SNS Topic

运行一些nodejs aws rekognition检测mp4视频中的标签,但完成后不会发布到指定的SNS主题。使用 topic/ROLE arns.

提交请求时,我没有收到任何权限错误 
const AWS = require('aws-sdk');
AWS.config.update(
    {
        region: 'us-west-2',
        accessKeyId: "asdfadsf",
        secretAccessKey: "asdfasdfasdfasd1234123423"
    }
);


const params = {
    Video: {
        S3Object: {
            Bucket: 'myvidebucket',
            Name: '5d683b81760ec59c2015.mp4'
        }
    },
    NotificationChannel: {
        RoleArn: 'arn:aws:iam::xxxxxxxxxxxxx:role/AmazonRekognitionSNSSuccessFeedback',
        SNSTopicArn: 'arn:aws:sns:us-west-2:xxxxxxxxxxxxx:recoknize',
    },
    MinConfidence: 60
};


rekognition.startLabelDetection(params).promise().then(data => {
    console.log(JSON.stringify(data));
}).catch(error => {
    console.log(error);
});

该代码执行没有错误,我得到了一个作业 ID。我的 SNS 主题订阅已确认,并且应该 post 到我的 HTTPS 端点。但是什么都没有到达,并且 AWS 控制台中的任何地方都没有关于此的错误日志。

当我通过 jobid 手动访问 rekogniztion 时,数据返回正常,所以我知道它正确完成了。 IAM 权限必须发生一些奇怪的事情。

我已经成功审查和测试了您的 nodejs 代码,没有发现任何问题。

由于代码 returns AWS Rekognition "JobId" 成功,您可以查看您的 SNS 配置并检查它是否与以下内容匹配:

1. 关于你的 SNS 主题 ('arn:aws:sns:us-west-2:xxxxxxxxxxxxx:recoknize'),导航到访问策略并检查您是否有类似于以下内容的策略:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "rekognition.amazonaws.com"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-west-2:XXXXXXXXXXXX:AmazonRekognitionTopic"
    }
  ]
}

2. 在您的 IAM 角色上 ('arn:aws:iam::xxxxxxxxxxxxx:role/AmazonRekognitionSNSSuccessFeedback'),请确保以下内容:

(i) 你角色的 "Trust relationship" 有如下语句:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service":"rekognition.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

(ii) 该角色有一个附加的政策文件,类似于下面给出的文件:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:publish"
            ],
            "Resource": "*"
        }
    ]
}

从 Amazon Rekognition 成功发布到 SNS 主题的消息应输出类似于:

"JobId":"8acd9edd6edfb0e4985f8cd269e4863e54f7fcd451af6aafe10b32996dedbdba","Status":"SUCCEEDED","API":"StartLabelDetection","Timestamp":1568544553927,"Video":{"S3ObjectName":"final.mp4","S3Bucket":"syumak-rekognition"}}

希望对您有所帮助。

隐藏在文档中 - 很明显 https://docs.aws.amazon.com/rekognition/latest/dg/api-video-roles.html#api-video-roles-all-topics

AmazonRekognitionServiceRole gives Amazon Rekognition Video access to Amazon SNS TOPICS that are PREFIXED with AmazonRekognition.

没有说角色ARN需要加前缀。但不会受伤。 仔细检查您的主题是 AmazonRekognitionMyTopicName

 RoleArn: 'arn:aws:iam::xxxxxxxxxxxxx:role/AmazonRekognitionSNSSuccessFeedback', <- don't think this is so important.
SNSTopicArn: 'arn:aws:sns:us-west-2:xxxxxxxxxxxxx:recoknize', <- Must be something like AmazonRekognitionSuccess

另外 - 这有帮助/我取消了 FIFO,除了 SQS 之外,它还允许通过电子邮件订阅。 https://docs.aws.amazon.com/rekognition/latest/dg/video-troubleshooting.html

这一行 确认您拥有 IAM 服务角色,该角色授予 Amazon Rekognition Video 发布到您的 Amazon SNS 主题的权限。有关更多信息,请参阅配置 Amazon Rekognition Video。

我创建了一个新的 IAM 并给了它 AmazonRekognitionFullAccess AmazonSNSRole AmazonSNSFullAccess

我更新了信任关系以包括两者 sns.amazonaws.com / rekognition.amazonaws.com.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "sns.amazonaws.com",
          "rekognition.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

不确定其中哪一个让所有内容都点击了 - 但在这上面花了半天/希望这会节省一些时间。