堆栈内存溢出
  繁体   English   中英

使用 CDK 授予对 SNS 主题订阅上的死信队列的权限

[英]Using CDK to grant permissions to Dead Letter Queue on SNS Topic Subscription

 原文  2023-01-06 00:17:57       aws-cdk/ amazon-sns

问题描述

我正在尝试设置一个 SNS 主题,并订阅一个队列。 我想将死信队列放入 SNS 订阅。

这部署正常,但是在 AWS 控制台中,当我打开订阅时,我看到错误“无法检查 Amazon SQS 队列权限。确保队列存在并且您的账户有权读取队列的属性” .

我是否需要以某种方式将TopicDLQ SNSTopic

export class SNSToSQSConstruct extends Construct {
    public readonly TopicDLQ: IQueue
    public readonly SQSQueue: IQueue
    public readonly SNSTopic: ITopic

    constructor(scope: Construct, id: string) {
        super(scope, id);

        this.TopicDLQ = new Queue(this, `${id}_TopicDLQ`, {
            visibilityTimeout: cdk.Duration.seconds(300),
        });

        this.SQSQueue = new Queue(this, `${id}_Queue`, {
            visibilityTimeout: cdk.Duration.seconds(300),
        });

        this.SNSTopic = new Topic(this, `${id}_Topic`, {
            fifo: false, // fifo support 300tps, standard support almost unlimited
            topicName: id,
        });

        var subscription = this.SNSTopic.addSubscription(new SqsSubscription(this.SQSQueue, {
            rawMessageDelivery: true,
            deadLetterQueue: this.TopicDLQ
        }));
        
        // error Subscription is not IGrantable
        //this.TopicDLQ.grantSendMessages(subscription);
    }
}

1 个解决方案

解决方案1
 1  2023-01-06 01:10:52

我想你可以用addToResourcePolicy做到这一点

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { IQueue, Queue } from 'aws-cdk-lib/aws-sqs'
import { ITopic, Topic } from 'aws-cdk-lib/aws-sns'
import { SqsSubscription } from 'aws-cdk-lib/aws-sns-subscriptions'
import { ServicePrincipal, PolicyStatement, Effect} from 'aws-cdk-lib/aws-iam'

export class SNSToSQSConstruct extends Construct {
    public readonly TopicDLQ: IQueue
    public readonly SQSQueue: IQueue
    public readonly SNSTopic: ITopic

    constructor(scope: Construct, id: string) {
        super(scope, id);

        this.TopicDLQ = new Queue(this, `${id}_TopicDLQ`, {
            visibilityTimeout: cdk.Duration.seconds(300),
        });

        this.SQSQueue = new Queue(this, `${id}_Queue`, {
            visibilityTimeout: cdk.Duration.seconds(300),
        });

        this.SNSTopic = new Topic(this, `${id}_Topic`, {
            fifo: false, // fifo support 300tps, standard support almost unlimited
            topicName: id,
        });

        var subscription = this.SNSTopic.addSubscription(new SqsSubscription(this.SQSQueue, {
            rawMessageDelivery: true,
            deadLetterQueue: this.TopicDLQ
        }));
        
        this.TopicDLQ.addToResourcePolicy(
            new PolicyStatement({
              effect: Effect.ALLOW,
              principals: [new ServicePrincipal('sns.amazonaws.com')],
              actions: ["sqs:SendMessage"],
              resources: [this.TopicDLQ.queueArn],
              conditions: {
                ArnEquals: {
                  "aws:SourceArn": this.SNSTopic.topicArn,
                },
              },
            })
          );
    }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SNS 重新驱动到死信队列不起作用 使用CDK,SNS主题Policy Statement,使用actions:["sns:*"],Cloudformation导致“Policy statement action out of service scope!” 通过 Lambda 在 SNS 队列上发布主题 如何为使用 Terraform 生成的 SQS 队列获取死信队列的 URL? 处理 AWS SQS 死信队列 如何在 CloudFormation 脚本上添加 email 订阅 SNS 主题? 谷歌云发布/订阅 - 订阅者未将消息转发到死信主题 代码没有错误,为什么消息仍然被发送到死信队列? 如何使用过滤策略从 SNS 主题中排除 cloudwatch 警报? 使用 Lambda 和 SNS 主题自动进行 AWS VPC 对等
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM