堆棧內存溢出
  簡體   English   中英

AWS SQS - SpringBoot - 403 禁止

[英]AWS SQS - SpringBoot - 403 Forbidden

 原文  2022-07-22 20:35:34       java/ amazon-web-services/ spring-boot/ amazon-sqs/ amazon-eks

問題描述

我正在嘗試從部署在 AWS/eks 上的 SpringBoot 應用程序訪問 AWS SQS 列表,但我收到 403 Forbidden 作為錯誤。

我是否必須添加特定於 AWS SQS 訪問策略的內容才能授予作為生產者/消費者的客戶端訪問權限?

到目前為止,我並沒有嘗試進入隊列,我只想查看隊列列表。

提前致謝

pom.xml

...
<dependency>
    <groupId>com.amazonaws</groupId>
    <artifactId>aws-java-sdk-sqs</artifactId>
</dependency>

AwsSqsController.java

...
public ResponseEntity<ListQueuesResult> readQueueList() {
    AmazonSQS sqs = AmazonSQSClientBuilder.defaultClient();
    ListQueuesResult listOfQueues = sqs.listQueues();
    log.info("List of Queues: {}", listOfQueues);
    return ResponseEntity.ok(listOfQueues);
}

AWS SQS 訪問策略

 { "Version": "2012-10-17", "Id": "HCDQueuePolicy", "Statement": [ { "Sid": "AlwaysEncrypted", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sqs:*", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "DenyAppOperatorEngineer", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": "sqs:SetQueueAttributes", "Resource": "arn:aws:sqs:us-east-1:X:queue-name" }, { "Sid": "AlwaysSameOrg", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sqs:*", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "Bool": { "aws:PrincipalIsAWSService": "false" }, "StringNotEquals": { "aws:PrincipalOrgID": "00000000000" } } }, { "Sid": "QueueProducerAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-X00000" } } }, { "Sid": "QueueConsumerAccessViaVpcEndpoint", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": [ "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage" ], "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-X00000" } } }, { "Sid": "QueueConsumerAccessNotViaVpcEndpoint", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": [ "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage" ], "Resource": "arn:aws:sqs:us-east-1:X:queue-name" }, { "Sid": "QueueAdminAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": "sqs:PurgeQueue", "Resource": "arn:aws:sqs:us-east-1:X:queue-name" }, { "Sid": "Allow S3 notifications", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "StringEquals": { "aws:SourceAccount": "X" } } } ] }

1 個解決方案

解決方案1
 0  2022-07-22 21:31:42

這是我見過的最大的 sqs 政策 :D 這是由某個框架自動生成的 :) 嗎?

是的,您必須明確允許從隊列中讀取。

如果我沒記錯的話,那就是

    "sqs:ReceiveMessage",
    "sqs:GetQueueAttributes",
    "sqs:DeleteMessage" Actions

您在 2 個地方擁有它,所以首先我會檢查是否滿足這些操作的條件。

如果您可以控制該政策,我會:

  1. 復制它
  2. 慢慢刪除安全,直到你可以連接
  3. 找出您最初無法連接的原因(必須打自己的額頭:)
  4. 添加已刪除的安全性

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 嘗試使用 AWS SDK 從 Java 應用程序連接 SQS 時出現 403 禁止錯誤 單元測試Springboot MockMvc返回403 Forbidden Springboot單元測試MockMvc返回403 Forbidden 從 WebApp 調用時 Springboot 403 被禁止 Springboot Junit 測試期望 200 但禁止獲得 403 AWS S3 Java:d​​osObjectExist結果為403:禁止 Hibernate 使用 AWS OpenSearch 搜索:10 分鍾后 403 禁止訪問 使用AWS開發工具包從AWS Elastic Search獲取索引時出現403禁止錯誤 禁止進入403 Postman 403 禁止消息
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM