[英]Error while doing AWS Lambda Cross Account integration with AWS SNS
[英]Cross Account SNS Subscribe to Lambda in second account
我已使用以下 SNS 主題策略在 Lambda 中訂閱此 SNS,帳號為 222222222222。我還授予了對我的 lambda 的訪問權限,並使用類似的策略將其添加到 Lambda 的執行角色中。
得到以下錯誤:
創建觸發器時發生錯誤:用戶:arn:aws:sts::222222222222:assumed-role/TSI_Base_FullAccess/AXXXXXXXX is notauthorized to perform: SNS:Subscribe on resource: arn:aws:sns:eu-west-1: 111111111111:Story-5555(服務:AmazonSNS;狀態碼:403;錯誤碼:AuthorizationError;請求ID:1321942c-25c4-52a1-bacb-c2e9bd641067)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1582008007178",
"Action": [
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS"
}
}
}
]
}
根據AWS 文檔,您應該在條件之外指定原則。
所以你的政策應該類似於
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1582008007178",
"Action": [
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
"Principal": {
"AWS": ["222222222222"]
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS",
"arn:aws:sts::222222222222:assumed-role:TSI_Base_FullAccess:AXXXXXXXX"
]
}
}
}
]
}
確定在策略的條件部分指定哪個 ARN 的方法是從您的函數調用(並打印) get-caller-identity API。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.