访问资源 https://sqs.us-east-1.amazonaws.com/被拒绝

本文介绍了访问资源 https://sqs.us-east-1.amazonaws.com/被拒绝的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

有很多关于这个错误的参考，但是，

There are many references to this error, but,

下面是为 lambda 创建的执行角色(AWS::Serverless::Function):

Below is the execution role created for lambda(AWS::Serverless::Function):

{
  "permissionsBoundary": {
    "permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
    "permissionsBoundaryType": "Policy"
  },
  "roleName": "some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
  "policies": [
    {
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "logs:CreateLogGroup",
              "logs:CreateLogStream",
              "logs:PutLogEvents"
            ],
            "Resource": "*"
          }
        ]
      },
      "name": "AWSLambdaBasicExecutionRole",
      "id": "ANDDDDDC42545SKXIK",
      "type": "managed",
      "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
    }
  ],
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

some-permission-boundary 在哪里

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:111222333444:log-group:*"
            ],
            "Effect": "Allow",
        },
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}

lambda 执行以下操作:

lambda performs below operation:

async function sendToQueue(message) {
  const params = {
    MessageBody: JSON.stringify(message),
    QueueUrl: process.env.queueUrl
  };
  return new Promise((resolve, reject) =>
    sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
  );
}

出现错误:

that gives error:

"errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
    "errorType": "AccessDenied",

我们为 some-permission-boundary

为什么 lambda 无法向队列发送消息?

Why lambda is not able to send message to queue?

推荐答案

权限边界是一项高级功能，用于使用托管策略设置基于身份的策略可以授予 IAM 实体的最大权限.

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.

实体的权限边界允许它仅执行其基于身份的策略和权限边界所允许的操作.

An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

来源:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

您确实在权限边界中包含了 sqs:*，但您没有在 lambda 执行角色的策略中包含任何与 sqs 相关的操作.

You do include sqs:* in your permission boundary, but you did not include any sqs related action in your lambda execution role's policy.

您应该将具有 sqs 权限的策略附加到您的 lambda 执行角色:

You should attach a policy with sqs permissions to your lambda execution role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}

这篇关于访问资源 https://sqs.us-east-1.amazonaws.com/被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！