[英]Error code: AccessDeniedException. User: arn:aws:iam::xxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: *
This question is related to this :这个问题与此有关:
Setup:设置:
Account A (containing the SQS Queue)账户 A(包含 SQS 队列)
Account B (contains the lambda function that will be triggered by SQS Queue in Account A)账户 B(包含 lambda function 将由账户 A 中的 SQS Queue 触发)
This is the lambda resource policy in Account B这是账户 B 中的 lambda 资源策略
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:user/USER-ACCOUNT-A"
},
"Action": "lambda:*",
"Resource": "arn:aws:lambda:eu-north-1:ACCOUNT-B:function:FUNCTION-ACCOUNT-B"
},
{
"Effect": "Allow",
"Principal": {
"Service": "sqs.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-north-1:ACCOUNT B:function:FUNCTION-ACCOUNT-B",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": ACCOUNT A
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-ACCOUNT A"
}
}
}
]
}
and this is the SQS permission policy in Account A这是账户 A 中的 SQS 权限策略
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
},
{
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:root"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
},
{
"Sid": "Permission to LambdaRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:role/LAMBDA-EXECUTION-ROLE-ACCOUNT-B"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage",
"SQS:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
}
]
}
When user in Account A tries to add lambda trigger from SQS, the following AccessDenied Error shows up:当账户 A 中的用户尝试从 SQS 添加 lambda 触发器时,会显示以下 AccessDenied 错误:
Error code: AccessDeniedException. Error message: User: arn:aws:iam::xxxxxxxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: *
I also tried to add the trigger from the lambda function (just for testing as this is not something I want), but I got the following error:我还尝试从 lambda function 添加触发器(仅用于测试,因为这不是我想要的),但出现以下错误:
An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)
My Lambda Role has "AmazonSQSFullAccess" permission.我的 Lambda 角色具有“AmazonSQSFullAccess”权限。 So I really don't know what's going on here.所以我真的不知道这里发生了什么。
Can someone help with this please?有人可以帮忙吗?
UPDATE更新
I found a bug in the SQS permission policy and fixing this solved the second error:我在 SQS 权限策略中发现了一个错误,并修复它解决了第二个错误:
An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)
However as mentioned earlier I would need that the user in Account A add a lambda trigger from SQS Queue (which is creating the first error I posted above) rather than the other way round.但是,如前所述,我需要帐户 A 中的用户从 SQS 队列(创建我上面发布的第一个错误)添加 lambda 触发器,而不是相反。 Is that possible at all?这有可能吗?
Your IAM policy is probably limited to the lambda function
type resource but it also needs the event-source-mapping
resource.您的 IAM 策略可能仅限于 lambda function
类型资源,但它还需要event-source-mapping
资源。
"Resource": [
"arn:aws:lambda:*:<YOUR_ACCOUNT_ID>:function:*",
"arn:aws:lambda:*:<YOUR_ACCOUNT_ID>:event-source-mapping:*"
]
Or just say screw IAM and go with '*'
.或者只是用'*'
说螺丝 IAM 和 go 。
The list of resources can be found here: Resources and conditions for Lambda actions可在此处找到资源列表: Lambda 操作的资源和条件
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.