问题描述
我正在尝试将SQS作为源/触发器添加到lambda.如果两个组件都位于同一个帐户中,我可以做到这一点.当我将触发器添加到lambda时,lambda触发器配置将复制到SQS队列中以将两者配对.
I'm trying to add an SQS as a source/trigger to a lambda. I can do this just fine if both components reside within the same account. When I add the trigger to the lambda, the lambda trigger configuration replicates over to the SQS queue to pair the two.
当我在另一个帐户中远程访问SQS时,在我的lambda上尝试相同的操作时,会建立Lambda触发器,但是在查看远程SQS时,不会显示已配置的触发器.将消息添加到队列时,这似乎导致触发器在lambda上不起作用.远程队列上的SQS策略还向其他帐户明确授予了权限.
When I try this same thing on my lambda when the SQS is remote in a different account the Lambda trigger is established, but when viewing the remote SQS it doesn't show a trigger configured. This seems to result in the trigger not working on the lambda when a message is added to the queue. The SQS policy on the remote queue is also giving permissions explicitly to the other account as well.
有什么想法吗?
推荐答案
场景:
- 帐户A中的Amazon SQS队列
- 帐户B中的AWS Lambda函数
- 目标:SQS触发Lambda函数
由于这涉及跨帐户访问,因此您将需要授予Lambda函数用于访问SQS队列的IAM角色的权限.(从队列中拉出Lambda ,而不是从SQS 推入Lambda.)
Since this involves cross-account access, you will need to grant permissions for the IAM Role used by the Lambda function to access the SQS queue. (Lambda pulls from the queue, rather than SQS pushing to Lambda.)
步骤是:
- 在SQS队列中,编辑访问策略以包括对Lambda函数使用的IAM角色的许可:
- In the SQS queue, edit the Access Policy to include permission for the IAM Role used by the Lambda function:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-1:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:ap-southeast-2:ACCOUNT-1:queue-name"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-2:role/lambda-role-name"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage",
"SQS:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:ap-southeast-2:ACCOUNT-1:queue-name"
}
]
}
此策略的第一部分由SQS自动创建,并允许拥有的帐户使用队列.第二部分允许帐户2的IAM角色访问帐户1中的队列.当我创建队列并提供IAM角色的ARN时,该策略由SQS自动创建.但是,我必须添加 SQS:GetQueueAttributes
,因为Lambda函数也会调用它.
The first part of this policy is automatically created by SQS and allows the owning account to use the queue. The second part allows the IAM Role from Account-2 to access the queue in Account-1. The policy was created automatically by SQS when I created the queue and provided the ARN of the IAM Role. However, I had to add SQS:GetQueueAttributes
because the Lambda function calls it too.
- 在Account-B的AWS Lambda函数中,单击 +触发器,选择 SQS ,然后从Account-A输入SQS队列的ARN
- In the AWS Lambda function in Account-B, click + Trigger, select SQS and enter the ARN of the SQS queue from Account-A
我尝试了所有这些操作,并成功地在帐户B中的SQS中添加了一条消息,然后看到Lambda在帐户B中对其进行了处理.
I tried all this and was successfully able to put a message in SQS in Account-B, and then saw Lambda process it in Account-B.
这篇关于Lambda触发器不会跨帐户复制到SQS源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!