执行 AWS Lambda 与 AWS SNS 的跨账户集成时出错
[英]Error while doing AWS Lambda Cross Account integration with AWS SNS
问题描述
I want to send notification from SNS (Account A) to Lambda (Account B).
我想从 SNS(账户 A)向 Lambda(账户 B)发送通知。 Followed this tutorial but still getting below error: https://docs.aws.amazon.com/lambda/latest/dg/with-sns-example.html遵循本教程但仍然出现以下错误: https://docs.aws.amazon.com/lambda/latest/dg/with-sns-example.html
Error code: AccessDeniedException - Error message: User: arn:aws:sts::AccountA:assumed-role/AdministratorAccessRole/A12345 is not authorized to perform: lambda:AddPermission on resource: arn:aws:lambda:us-east-1:AccountB:function:TestLambda错误代码:AccessDeniedException - 错误消息:用户:arn:aws:sts::AccountA:assumed-role/AdministratorAccessRole/A12345 无权执行:lambda:AddPermission on resource:arn:aws:Z945F3FC449518A73B96F5F3286:CDB:4帐户B:function:TestLambda
Below what I did: 1. In Account A, added below policy in Access Policy of SNS:下面是我所做的: 1. 在账户 A 中,在 SNS 的访问策略中添加以下策略:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "_abc_",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": [
"SNS:Subscribe",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:AccountA:TriggerLambdaB-SNS"
}
]
}
2. In Account B, added below policy in Resource-Based Policy of Lambda: 2. 在账户 B 中,在 Lambda 的 Resource-Based Policy 中添加以下策略:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "_abc_",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:AccountB:function:TestLambda",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:sns:us-east-1:AccountA:TriggerLambdaB-SNS"
}
}
}
]
}
I am able to see the SNS Name under Trigger Lambda section of my Lambda in Account B. But when I am trying to Subscribe the Lambda under SNS, then getting this error.我可以在帐户 B 中我的 Lambda 的触发 Lambda 部分下看到 SNS 名称。但是当我尝试在 SNS 下订阅 Lambda 时,出现此错误。 Please guide what am I missing here.请指导我在这里缺少什么。
Is it because I am having different types of Role in these accounts like AdminAccessRole in Account A and FederatedRoleAccess in Account B?是因为我在这些帐户中拥有不同类型的角色,例如帐户 A 中的 AdminAccessRole 和帐户 B 中的 FederatedRoleAccess?
1 个解决方案
解决方案1
1 2020-04-19 12:06:19
You need to run the aws sns subscribe in Account-B (with the Lambda function), not Account-A (with the SNS function).您需要在Account-B (使用 Lambda 功能)而不是 Account-A(使用 SNS 功能)中运行aws sns subscribe 。
Otherwise, your setup seems correct.否则,您的设置似乎是正确的。
When I tried running the subscribe command from Account-A, it said:当我尝试从 Account-A 运行subscribe命令时,它说:
An error occurred (AuthorizationError) when calling the Subscribe operation: The account ACCOUNT-A is not the owner of the lambda function arn:aws:lambda:ap-southeast-2:ACCOUNT-B:function:foo
While this error is different to yours, your command appears to have been run from Account-A (with SNS) rather than Account-B (with Lambda).虽然此错误与您的不同,但您的命令似乎是从 Account-A(使用 SNS)而不是 Account-B(使用 Lambda)运行的。
Side-note: There appears to be a small error in the Tutorial: Using AWS Lambda with Amazon Simple Notification Service documentation, where the Resource-Based policy for Lambda (the second one in your Question) is showing a SourceArn that refers to Account-B-Lambda, whereas it should be Account-A-SNS.旁注: 教程中似乎有一个小错误:将 AWS Lambda 与 Amazon Simple Notification Service文档一起使用,其中 Lambda 的基于资源的策略(您的问题中的第二个)显示了一个SourceArn ,它指的是 Account- B-Lambda,而它应该是 Account-A-SNS。 However, you appear to have gotten this correct in your policy above.但是,您在上面的保单中似乎已经正确理解了这一点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.