CloudFormation - 无法创建 SQS 策略
CloudFormation - not able to create SQS Policy
我正在尝试创建一个 SQSQueue 并通过 SQS::QueuePolicy 为其附加权限。
以下是我的云阵模板-
模板
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySQS": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "QueueName1"
}
},
"MySQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Fn::GetAtt" : ["MySQS", "Arn"]
}
],
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["1234567689111"]
},
"Action": [
"SQS:SendMessage"
]
}
]
}
}
}
}
}
错误
我尝试通过 AWS 控制台创建堆栈,SQS Queue 创建成功,但收到以下 SQS policy 创建错误 -
The specified queue does not exist for this wsdl version. (Service: AmazonSQS; Status Code: 400; Error Code: AWS.SimpleQueueService.NonExistentQueue; Request ID: e2611b4d-6166-5bf3-9205-4d0590e34f84)
CloudFormation Console Error
我已经提到 documentation 但无法弄清楚问题出在哪里?
知道这里出了什么问题吗?
来自AWS::SQS::QueuePolicy - AWS CloudFormation:
Queues:
The URLs of the queues to which you want to add the policy. You can use the Ref function to specify an AWS::SQS::Queue resource.
此外,策略需要引用被允许的 Resource,即队列。是的,队列被引用两次似乎很有趣,但第一次引用是放置策略的位置,第二次是授予对特定队列的访问权限。
该策略还缺少一个 Version 参数。
因此,使用:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySQS": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "QueueName1"
}
},
"MySQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Ref": "MySQS" <--- Changed
}
],
"PolicyDocument": {
"Id": "QueuePolicy",
"Version": "2012-10-17", <--- Added
"Statement": [
{
"Action": [
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": { <--- Added
"Fn::GetAtt": [
"MySQS",
"Arn"
]
},
"Principal": {
"AWS": [
"*" <--- See note below
]
}
}
]
}
}
}
}
}
如图所示,这适用于 Principal。或者,您可以指定一个 IAM 用户:
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},
我认为您不能简单地说 Principal 是一个帐户 ID。
我正在尝试创建一个 SQSQueue 并通过 SQS::QueuePolicy 为其附加权限。 以下是我的云阵模板-
模板
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySQS": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "QueueName1"
}
},
"MySQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Fn::GetAtt" : ["MySQS", "Arn"]
}
],
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["1234567689111"]
},
"Action": [
"SQS:SendMessage"
]
}
]
}
}
}
}
}
错误
我尝试通过 AWS 控制台创建堆栈,SQS Queue 创建成功,但收到以下 SQS policy 创建错误 -
The specified queue does not exist for this wsdl version. (Service: AmazonSQS; Status Code: 400; Error Code: AWS.SimpleQueueService.NonExistentQueue; Request ID: e2611b4d-6166-5bf3-9205-4d0590e34f84)
CloudFormation Console Error
我已经提到 documentation 但无法弄清楚问题出在哪里? 知道这里出了什么问题吗?
来自AWS::SQS::QueuePolicy - AWS CloudFormation:
Queues: The URLs of the queues to which you want to add the policy. You can use the Ref function to specify an
AWS::SQS::Queueresource.
此外,策略需要引用被允许的 Resource,即队列。是的,队列被引用两次似乎很有趣,但第一次引用是放置策略的位置,第二次是授予对特定队列的访问权限。
该策略还缺少一个 Version 参数。
因此,使用:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySQS": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "QueueName1"
}
},
"MySQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Ref": "MySQS" <--- Changed
}
],
"PolicyDocument": {
"Id": "QueuePolicy",
"Version": "2012-10-17", <--- Added
"Statement": [
{
"Action": [
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": { <--- Added
"Fn::GetAtt": [
"MySQS",
"Arn"
]
},
"Principal": {
"AWS": [
"*" <--- See note below
]
}
}
]
}
}
}
}
}
如图所示,这适用于 Principal。或者,您可以指定一个 IAM 用户:
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},
我认为您不能简单地说 Principal 是一个帐户 ID。