[英]Cloudformation SQS Policy for S3 events
I'm trying to create a policy for an SQS queue which would allow any S3 bucket to send events to the queue. 我正在尝试为SQS队列创建一个策略,该策略允许任何S3存储桶将事件发送到队列。 I don't seem to be able to do this for a specific S3 queue because I end up with circular dependencies.
我似乎无法为特定的S3队列执行此操作,因为我最终得到循环依赖。
I've created a cloudformation template which will create the queue and policy, but when I try and manually setup the S3 bucket to send the events I get a message saying 我已经创建了一个用于创建队列和策略的cloudformation模板,但是当我尝试手动设置S3存储桶以发送事件时,我收到一条消息说
Permissions on the destination queue do not allow S3 to publish notifications from this bucket
目标队列上的权限不允许S3从此存储桶发布通知
The template section that I'm using to create the policy is: 我用来创建策略的模板部分是:
"SQSNotifcationFromS3" : {
"Type" : "AWS::SQS::QueuePolicy",
"DependsOn" : "S3Notifications",
"Properties" : {
"PolicyDocument" : {
"Version": "2012-10-17",
"Id": "SQSIDsimon",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:*",
"Resource": { "Ref" : "S3Notifications"}
}
]
},
"Queues" : [ { "Ref" : "S3Queue" } ]
}
}
In the end, I found a solution for this - I set the permissions on the SQS so that any S3 bucket could add events to the queue: 最后,我找到了一个解决方案 - 我在SQS上设置了权限,以便任何S3存储桶都可以向队列添加事件:
"S3EventQueuePolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"DependsOn" : [ "S3EventQueue" ],
"Properties" : {
"PolicyDocument" : {
"Id": "SQSPolicy",
"Statement": [
{
"Sid": "SQSEventPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:*",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::*"
}
}
}
]
},
"Queues" : [ { "Ref" : "S3EventQueue"} ]
}
},
In the AWS console, did you confirm that the queue has successfully granted permissions to the s3 bucket? 在AWS控制台中,您是否确认队列已成功授予对s3存储桶的权限? In SQS, select the queue and look at the permissions tab.
在SQS中,选择队列并查看权限选项卡。
Looking at your template snippet above, I'm not sure what "S3Notifications" points to but I'll assume it's the S3 bucket. 看看上面的模板片段,我不确定“S3Notifications”指向的是什么,但我认为它是S3存储桶。 The SQS policy document "Resource" should be the ARN of the S3 bucket.
SQS策略文档“Resource”应该是S3存储桶的ARN。 The "Ref" function on an S3 bucket has a Reference Value of "Name".
S3存储桶上的“Ref”功能的参考值为“Name”。 You need ARN I believe.
我相信你需要ARN。
See: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html 请参阅: http : //docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html
and: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html 和: http : //docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.