[英]403 forbidden error while trying to connect SQS from Java application using AWS SDK
[英]AWS SQS - SpringBoot - 403 Forbidden
我正在尝试从部署在 AWS/eks 上的 SpringBoot 应用程序访问 AWS SQS 列表,但我收到 403 Forbidden 作为错误。
我是否必须添加特定于 AWS SQS 访问策略的内容才能授予作为生产者/消费者的客户端访问权限?
到目前为止,我并没有尝试进入队列,我只想查看队列列表。
提前致谢
pom.xml
...
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-sqs</artifactId>
</dependency>
AwsSqsController.java
...
public ResponseEntity<ListQueuesResult> readQueueList() {
AmazonSQS sqs = AmazonSQSClientBuilder.defaultClient();
ListQueuesResult listOfQueues = sqs.listQueues();
log.info("List of Queues: {}", listOfQueues);
return ResponseEntity.ok(listOfQueues);
}
AWS SQS 访问策略
{ "Version": "2012-10-17", "Id": "HCDQueuePolicy", "Statement": [ { "Sid": "AlwaysEncrypted", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sqs:*", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "DenyAppOperatorEngineer", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": "sqs:SetQueueAttributes", "Resource": "arn:aws:sqs:us-east-1:X:queue-name" }, { "Sid": "AlwaysSameOrg", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sqs:*", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "Bool": { "aws:PrincipalIsAWSService": "false" }, "StringNotEquals": { "aws:PrincipalOrgID": "00000000000" } } }, { "Sid": "QueueProducerAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-X00000" } } }, { "Sid": "QueueConsumerAccessViaVpcEndpoint", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": [ "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage" ], "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-X00000" } } }, { "Sid": "QueueConsumerAccessNotViaVpcEndpoint", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": [ "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage" ], "Resource": "arn:aws:sqs:us-east-1:X:queue-name" }, { "Sid": "QueueAdminAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": "sqs:PurgeQueue", "Resource": "arn:aws:sqs:us-east-1:X:queue-name" }, { "Sid": "Allow S3 notifications", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "StringEquals": { "aws:SourceAccount": "X" } } } ] }
这是我见过的最大的 sqs 政策 :D 这是由某个框架自动生成的 :) 吗?
是的,您必须明确允许从队列中读取。
如果我没记错的话,那就是
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes",
"sqs:DeleteMessage" Actions
您在 2 个地方拥有它,所以首先我会检查是否满足这些操作的条件。
如果您可以控制该政策,我会:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.