[英]Unable to configure SQS queue notification in S3
我創建了一個 SQS 隊列並在權限選項卡下添加了策略,只允許我的帳戶用戶配置通知
政策文件
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:us-east-1:111111111111:sqsqueue/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid111111111111",
"Effect": "Allow",
"Principal": {
"AWS": "111111111111"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:111111111111:queue"
}
]
導航到 S3 並嘗試為上述隊列配置事件通知,它拋出錯誤
無法驗證以下目標配置。 目標隊列的權限不允許 S3 從該存儲桶發布通知。 (arn:aws:sqs:us-east-1:111111111111:queue)*
難道我做錯了什么? 有誰可以幫助我嗎
我能夠通過在 Principal 標簽中添加 "Service": "s3.amazonaws.com" 來解決這個問題。
這里是政策文件
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:us-east-1:111111111111:sqsqueue/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid111111111111",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:111111111111:queue"
}
]
這在https://forums.aws.amazon.com/thread.jspa?threadID=173251 中有解釋
該模板文件創建了一個存儲桶、SQS 隊列和一個連接兩者的策略:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
IncomingBucketName:
Type: 'String'
Description: 'Incoming Bucket Name'
Default: 'some-bucket-name-here'
Resources:
IncomingFileQueue:
Type: 'AWS::SQS::Queue'
Properties: {}
SQSQueuePolicy:
Type: 'AWS::SQS::QueuePolicy'
Properties:
PolicyDocument:
Id: 'MyQueuePolicy'
Version: '2012-10-17'
Statement:
- Sid: 'Statement-id'
Effect: 'Allow'
Principal:
AWS: "*"
Action: 'sqs:SendMessage'
Resource:
Fn::GetAtt: [ IncomingFileQueue, Arn ]
Queues:
- Ref: IncomingFileQueue
IncomingFileBucket:
Type: 'AWS::S3::Bucket'
DependsOn:
- SQSQueuePolicy
- IncomingFileQueue
Properties:
AccessControl: BucketOwnerFullControl
BucketName:
Ref: IncomingBucketName
NotificationConfiguration:
QueueConfigurations:
- Event:
s3:ObjectCreated:Put
Queue:
Fn::GetAtt: [ IncomingFileQueue, Arn ]
我遇到了同樣的問題,但使用此頁面來確定如何連接三個資源以成功部署堆棧: https : //aws.amazon.com/premiumsupport/knowledge-center/unable-validate-destination-s3 /
我仍在處理政策條件,因為上述鏈接中推薦的表格不適用於 SQS。 既然如此,上述模板並不安全,不應在生產中使用,因為它允許任何人向隊列添加消息。
一旦我弄清楚了這一點,我會更新這個答案......
您必須允許 s3 服務。 在主體下添加“服務”:“s3.amazonaws.com”
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:us-east-1:111111111111:sqsqueue/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid111111111111",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-1:111111111111:queue"
}
]
請閱讀這些文章以了解 amazon sqs 隊列並實施:
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.