我有一个应用程序,我正在尝试移动到新的 k8s 集群,在尝试确认订阅时遇到权限问题:
"sns confirmation failed. Reason: AuthorizationError: User: arn:aws:sts::-:assumed-role/-/- is not authorized to perform:
SNS:ConfirmSubscription on resource: arn:aws:sns:-:-:topicname
status code: 403, request id: 000d2844-3a3d-5544-922a-7d9e3db07a16"
该应用程序能够在旧集群中执行确认订阅,因此我认为这是一个 IAM 问题,但它假设的角色策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:ConfirmSubscription",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sns:::*"
]
}
]
}
我无法诊断 IAM 问题所在。
我能够通过完全限定我想确认订阅的 sns 主题来使其工作:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:ConfirmSubscription",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sns:us-east-1:000000000:full-topic-name-no-wildcard"
]
}
]
}