SQS API:sqs:CreateQueue 访问资源 https://sqs.us-east-1.amazonaws.com/ 在使用 Cloudformation 的“放大推送”上被拒绝
SQS API: sqs:CreateQueue Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied on `amplify push` using Cloudformation
我正在实施 SQS fifo 队列。我必须使用 cloudformation 模板来实现我。
当我放大推送时,我得到
错误
API: sqs:CreateQueue Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied
我添加了遵循 aws docs 的 SQS 政策
.除了accountID,我在“Principal”中使用服务作为“sqs.amazonaws.com”。
我的 cloudformation 看起来像:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "SQS fifo queue",
"Parameters": {
"env": {
"Type": "String"
}
},
"Resources": {
"QueueExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Fn::Join": [
"",
[
"queue-exec-role-",
{
"Ref": "env"
}
]
]
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "sqs.amazonaws.com"
},
"Action": ["sts:AssumeRole"]
}
]
}
}
},
"SQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [{ "Ref": "groupingQueue" }],
"PolicyDocument": {
"Statement": [
{
"Action": ["SQS:SendMessage", "SQS:ReceiveMessage"],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": ["groupingQueue", "Arn"]
},
"Principal": {
"Service": "sqs.amazonaws.com"
}
}
]
}
}
},
"groupingQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {
"FifoQueue": "true",
"QueueName": {
"Fn::Join": [
"",
[
"grouping-queue-",
{
"Ref": "env"
},
".fifo"
]
]
}
}
}
},
"Outputs": {
"QueueURL": {
"Description": "URL of new Amazon SQS Queue",
"Value": { "Ref": "groupingQueue" }
},
"QueueARN": {
"Description": "ARN of new Amazon SQS Queue",
"Value": { "Fn::GetAtt": ["groupingQueue", "Arn"] }
},
"QueueName": {
"Description": "Name new Amazon SQS Queue",
"Value": { "Fn::GetAtt": ["groupingQueue", "QueueName"] }
}
}
}
我不想在“Principal”中给出AccountID,所以使用了sqs服务。
使用这个确切的模板,我在 amplify push -y 上被拒绝访问。
我正在从服务器执行 amplify push。当我从本地计算机推送它时,它起作用了。
原来我在服务器中设置的 aws 配置文件没有 sqs:CreateQueue 权限,而我的本地有管理员访问权限。
因此,我从控制台向我的服务器用户添加了管理员完全访问权限,再次执行 amplify push 并且运行顺利。
PS:不需要给管理员权限,给sqs:CreateQueue权限即可。我这样做是因为我正在测试。
我正在实施 SQS fifo 队列。我必须使用 cloudformation 模板来实现我。
当我放大推送时,我得到
错误
API: sqs:CreateQueue Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied
我添加了遵循 aws docs 的 SQS 政策 .除了accountID,我在“Principal”中使用服务作为“sqs.amazonaws.com”。
我的 cloudformation 看起来像:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "SQS fifo queue",
"Parameters": {
"env": {
"Type": "String"
}
},
"Resources": {
"QueueExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Fn::Join": [
"",
[
"queue-exec-role-",
{
"Ref": "env"
}
]
]
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "sqs.amazonaws.com"
},
"Action": ["sts:AssumeRole"]
}
]
}
}
},
"SQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [{ "Ref": "groupingQueue" }],
"PolicyDocument": {
"Statement": [
{
"Action": ["SQS:SendMessage", "SQS:ReceiveMessage"],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": ["groupingQueue", "Arn"]
},
"Principal": {
"Service": "sqs.amazonaws.com"
}
}
]
}
}
},
"groupingQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {
"FifoQueue": "true",
"QueueName": {
"Fn::Join": [
"",
[
"grouping-queue-",
{
"Ref": "env"
},
".fifo"
]
]
}
}
}
},
"Outputs": {
"QueueURL": {
"Description": "URL of new Amazon SQS Queue",
"Value": { "Ref": "groupingQueue" }
},
"QueueARN": {
"Description": "ARN of new Amazon SQS Queue",
"Value": { "Fn::GetAtt": ["groupingQueue", "Arn"] }
},
"QueueName": {
"Description": "Name new Amazon SQS Queue",
"Value": { "Fn::GetAtt": ["groupingQueue", "QueueName"] }
}
}
}
我不想在“Principal”中给出AccountID,所以使用了sqs服务。
使用这个确切的模板,我在 amplify push -y 上被拒绝访问。
我正在从服务器执行 amplify push。当我从本地计算机推送它时,它起作用了。
原来我在服务器中设置的 aws 配置文件没有 sqs:CreateQueue 权限,而我的本地有管理员访问权限。
因此,我从控制台向我的服务器用户添加了管理员完全访问权限,再次执行 amplify push 并且运行顺利。
PS:不需要给管理员权限,给sqs:CreateQueue权限即可。我这样做是因为我正在测试。