3

我试图创建一个 SNS 主题并从 lambda 发布消息。但是我在尝试这样做时遇到授权错误。

Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError

完全例外

com.amazonaws.services.sns.model.AuthorizationErrorException: User: arn:aws:sts::166916908689:assumed-role/AWSLambdaVPCAccessExecutionRole/lambda-event-common-test is not authorized to perform: SNS:Publish on resource: arn:aws:sns:eu-west-1:166916908689:events (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 9266e536-baa4-55d1-b277-b766f5536b70)

我的 sam 模板看起来像这样

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  EventListenFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: event.lambda.EventHandler::handleRequest
      Role: !Sub arn:aws:iam::${AWS::AccountId}:role/AWSLambdaVPCAccessExecutionRole
      FunctionName: lambda-event-$ENVNAME
      Runtime: java8
      VpcConfig:
        SecurityGroupIds:
          - !ImportValue LambdaVPCSecurityGroup
        SubnetIds:
          - !ImportValue VsolPublicSubnetAz1
          - !ImportValue VsolPublicSubnetAz2
      Environment:
        Variables:
          SNS_TOPIC_ARN: !Ref Topic
      Events:
        GetResource:
          Type: Api
          Properties:
            Path: /event/{Id}
            Method: post
      Policies:
        Statement:
          - Effect: Allow
            Action: sns:Publish
            Resource: !Ref Topic
  Topic:
      Type: "AWS::SNS::Topic"
      Properties:
        DisplayName: "events"
        TopicName: "events"

发送 sns 通知

private AmazonSNSClient snsClient =(AmazonSNSClient)AmazonSNSClient.builder().build();
 snsClient.publish(new PublishRequest(System.getenv(“SNS_TOPIC_ARN
”),”Test”));

可以允许任何用户使用控制台发布 sns 主题。我正在寻找一种使用 sam 模板的方法。

谢谢

4

1 回答 1

0

从这个列表中可以看出

http://docs.aws.amazon.com/IAM/latest/UserGuide/list_sns.html

除了“sns:Publish”之外,还有更多可用于 SNS IAM 权限的选项

您没有显示您的 lambda 代码,但我猜您需要“sns:CreateTopic”

如果这不起作用,则允许“sns:*”,然后查看它在 Cloudtrail 中调用的内容,然后将权限降低到所需的最低限度

更新:我没有使用 SAM 模板格式,所以我检查了文档。没有像您似乎正在做的那样声明新策略内联的示例,但有使用现有 IAM 策略的示例。

所以你说的地方

  Policies:
    Statement:
      - Effect: Allow
        Action: sns:Publish
        Resource: !Ref Topic

尝试

 Policies: AmazonSNSFullAccess
于 2017-10-04T12:05:54.963 回答