我试图创建一个SNS主题并从lambda发布消息。但是,我在尝试执行此操作时会遇到授权错误。
Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError
完整异常
com.amazonaws.services.sns.model.AuthorizationErrorException: User: arn:aws:sts::166916908689:assumed-role/AWSLambdaVPCAccessExecutionRole/lambda-event-common-test is not authorized to perform: SNS:Publish on resource: arn:aws:sns:eu-west-1:166916908689:events (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 9266e536-baa4-55d1-b277-b766f5536b70)
我的SAM模板看起来像
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
EventListenFunction:
Type: AWS::Serverless::Function
Properties:
Handler: event.lambda.EventHandler::handleRequest
Role: !Sub arn:aws:iam::${AWS::AccountId}:role/AWSLambdaVPCAccessExecutionRole
FunctionName: lambda-event-$ENVNAME
Runtime: java8
VpcConfig:
SecurityGroupIds:
- !ImportValue LambdaVPCSecurityGroup
SubnetIds:
- !ImportValue VsolPublicSubnetAz1
- !ImportValue VsolPublicSubnetAz2
Environment:
Variables:
SNS_TOPIC_ARN: !Ref Topic
Events:
GetResource:
Type: Api
Properties:
Path: /event/{Id}
Method: post
Policies:
Statement:
- Effect: Allow
Action: sns:Publish
Resource: !Ref Topic
Topic:
Type: "AWS::SNS::Topic"
Properties:
DisplayName: "events"
TopicName: "events"
发送SNS通知
private AmazonSNSClient snsClient =(AmazonSNSClient)AmazonSNSClient.builder().build();
snsClient.publish(new PublishRequest(System.getenv(“SNS_TOPIC_ARN
”),”Test”));
有可能允许任何用户使用控制台发布SNS主题。我正在寻找一种使用SAM模板来完成的方法。
谢谢
您可以从此列表中看到
http://docs.aws.amazon.com/iam/latest/userguide/listrongns.html
SNS IAM许可还有更多的选项,而不是" SNS:发布"
您不显示您的lambda代码,但我想您需要" SNS:肌肉"
如果那不起作用,则允许" sns:*",然后查看在CloudTrail中所谓的内容,然后将权限减少到所需的最低限度
更新:我没有使用SAM模板格式,因此我检查了文档。没有一个示例来宣布您似乎正在执行的新政策,但有用于使用现有的IAM策略的示例。
所以你说
Policies:
Statement:
- Effect: Allow
Action: sns:Publish
Resource: !Ref Topic
尝试
Policies: AmazonSNSFullAccess