[英]How to add a Redrive policy to an SNS with an encrypted DLQ
I have an SNS(encrypted with KMS) which is subscribed by two lambdas.我有一个由两个 lambda 订阅的 SNS(使用 KMS 加密)。 I am trying to add a Redrive policy to one of the subscriptions.我正在尝试向其中一个订阅添加 Redrive 策略。 The DLQ in question is encrypted.有问题的 DLQ 是加密的。
Adding Redrive policy is giving me an error 'Couldn't check Amazon SQS queue permissions.添加重新驱动策略给我一个错误“无法检查 Amazon SQS 队列权限。 Make sure that the queue exists and that your account has permission to read the attributes of the queue.确保队列存在并且您的帐户有权读取队列的属性。 To allow an Amazon SNS topic to send messages to an Amazon SQS queue, you must create an Amazon SQS queue policy'要允许 Amazon SNS 主题将消息发送到 Amazon SQS 队列,您必须创建一个 Amazon SQS 队列策略'
I have tried giving SNS decrypt permission on the DLQ Queue.我曾尝试在 DLQ 队列上授予 SNS 解密权限。 But no luck.但没有运气。 Any leads?任何线索?
Seems like the functionality is working even if it shows an alert in console.即使它在控制台中显示警报,该功能似乎仍在工作。 The messages get sent to DLQ on lambda failures even though the console shows an alert.即使控制台显示警报,消息也会在 lambda 失败时发送到 DLQ。
I've reached out to AWS Support, and it's a known UI issue.我已联系 AWS Support,这是一个已知的 UI 问题。 And as of now, there is still no ETA confirmed for the fix.到目前为止,仍然没有确认修复的预计到达时间。
To workaround, however, you could change SQS Access Policy Principal
section from但是,要解决此问题,您可以将 SQS Access Policy Principal
部分从
"Principal": {
"Service": "sns.amazonaws.com"
},
to到
"Principal": "*",
Presuming you have used the SQS queue policy from the AWS documentation with the principal "Service":"sns.amazonaws.com"
then the error message is caused by the fact that the console uses an IAM policy simulation but no principal is being passed.假设您已将AWS 文档中的 SQS 队列策略与委托人"Service":"sns.amazonaws.com"
那么错误消息是由控制台使用 IAM 策略模拟但没有传递委托人这一事实引起的。
Changing the principal to "AWS":"*"
will allow the policy simulation to succeed and therefore remove the error.将委托人更改为"AWS":"*"
将使策略模拟成功,从而消除错误。
Using the wildcard is safe provided you have a condition which limits access from the specific SNS topic only, as outlined in the prerequisites in AWS's documentation .使用通配符是安全的,前提是您有条件限制仅从特定 SNS 主题的访问,如AWS 文档中的先决条件中所述。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.