[英]Invoking SNS from cross account using API Gateway
我的 AWS 賬戶中有一個 API 網關端點,它將調用同一地區另一個 AWS 賬戶中的 SNS。
我賬戶中API網關的訪問策略如下
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:ap-southeast-1:604970532282:PublishSourceMsgTopic"
}
]
}
sns arn: arn:aws:sns:ap-southeast-1:604970532282:PublishSourceMsgTopic 屬於同一區域的另一個 AWS 賬戶。
上述SNS中配置的訪問策略的json為:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:ap-southeast-1:604970532282:PublishSourceMsgTopic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "604970532282"
}
}
},
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::148445556582:root"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:ap-southeast-1:604970532282:PublishSourceMsgTopic"
}
]
}
當我調用 API 網關時,它顯示以下錯誤:
User: arn:aws:sts::148445556582:assumed-role/api_gateway_sns_role/BackplaneAssumeRoleSession is not
authorized to perform: SNS:Publish on resource: arn:aws:sns:ap-southeast-
1:604970532282:PublishSourceMsgTopic
如果我提供在我的 AWS 賬戶中配置的 SNS 主題,我能夠成功調用 SNS。
我在這里想念什么?
您正在授予外部帳戶的 root 所有者在主題上發布的權限,但實際的發布請求正在使用 API 網關的角色。
因此,在您的訪問策略中,您需要將發布權限授予 API 網關正在使用的角色,而不是 root 角色。
通常,您要做的是設置“Principal”:“*”,然后在策略中的資源下添加條件以匹配從另一個帳戶訪問 SNS 的資源的帳戶和 arn。
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:us-east-2:111122223333:alarm:MyAlarm"
}
}
}]
}
這里有幾個示例訪問策略,應該對您有所幫助。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.