堆栈内存溢出
  简体   繁体   English

跨账户 SNS 在第二个账户中订阅 Lambda

[英]Cross Account SNS Subscribe to Lambda in second account

 原文  2020-02-18 09:12:19       amazon-web-services/ aws-lambda/ amazon-sns

问题描述

I have used the below policy for the SNS topic to subscribe this SNS in Lambda with account number as 222222222222. I have also given access to my lambda with a similar policy adding it to the execution role of Lambda.我已使用以下 SNS 主题策略在 Lambda 中订阅此 SNS,帐号为 222222222222。我还授予了对我的 lambda 的访问权限,并使用类似的策略将其添加到 Lambda 的执行角色中。

Getting the error below:得到以下错误:

An error occurred when creating the trigger: User: arn:aws:sts::222222222222:assumed-role/TSI_Base_FullAccess/AXXXXXXXX is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:eu-west-1:111111111111:Story-5555 (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 1321942c-25c4-52a1-bacb-c2e9bd641067)创建触发器时发生错误:用户:arn:aws:sts::222222222222:assumed-role/TSI_Base_FullAccess/AXXXXXXXX is notauthorized to perform: SNS:Subscribe on resource: arn:aws:sns:eu-west-1: 111111111111:Story-5555(服务:AmazonSNS;状态码:403;错误码:AuthorizationError;请求ID:1321942c-25c4-52a1-bacb-c2e9bd641067)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1582008007178",
      "Action": [
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sns:Publish",
        "sns:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS"
        }
      }
    }
  ]
}

1 个解决方案

解决方案1
 0  2020-02-18 10:10:23

According AWS Documentation you should specify principle additionally to the condition.根据AWS 文档,您应该在条件之外指定原则。

So your policy should resemble所以你的政策应该类似于

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1582008007178",
      "Action": [
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sns:Publish",
        "sns:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
      "Principal": {
        "AWS": ["222222222222"]
      },
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
               "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS",
               "arn:aws:sts::222222222222:assumed-role:TSI_Base_FullAccess:AXXXXXXXX"
          ]
        }
      }
    }
  ]
}

The way to be sure which ARN to specify in the condition section of the policy is to call (and print) get-caller-identity API from your function.确定在策略的条件部分指定哪个 ARN 的方法是从您的函数调用(并打印) get-caller-identity API。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 执行 AWS Lambda 与 AWS SNS 的跨账户集成时出错 - Error while doing AWS Lambda Cross Account integration with AWS SNS AWS 跨账户 SNS 发布 - AWS Cross Account SNS Publish 跨账号、跨地域SNS消息处理 - Cross account, cross region SNS message processing SNS跨账户订阅,附加层 - SNS cross account subscription with additional layer AWS Lambda跨帐户访问 - Aws lambda cross account access 如何使用boto3通过另一个帐户的SQS订阅一个帐户的SNS主题? - How to subscribe an SNS topic of one account by SQS of another account using boto3? 使用 API 网关从跨账户调用 SNS - Invoking SNS from cross account using API Gateway 跨账户 SNS SQS 订阅设置 (CDK) - Cross account SNS SQS subscription set up (CDK) AWS Lambda跨账户访问被拒绝 - AWS Lambda cross-account access denied 如何在跨账户中访问 Lambda 函数? - How to access Lambda Function in cross account?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM