如何解决为什么此SQSQueuePolicy无法在AWS CloudFormation中创建?
我创建了以下CloudFormation模板:
AWSTemplateFormatVersion: 2010-09-09
Description: Creates all resources necessary to send SES emails & track bounces/complaints through AWS
Resources:
IAMUser:
Type: 'AWS::IAM::User'
Properties:
UserName: iam-ses-sqs
SQSQueue:
Type: 'AWS::SQS::Queue'
Properties:
QueueName: ses-queue
SNSTopic:
Type: 'AWS::SNS::Topic'
Properties:
TopicName: sns-notifications
IAMUserPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: IAM_Send_SES_Email
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'SES:SendEmail'
- 'SES:SendRawEmail'
Resource: 'arn:aws:ses:*:*:identity/*'
Users:
- !Ref IAMUser
SQSQueuePolicy:
Type: 'AWS::SQS::QueuePolicy'
Properties:
Queues:
- !Ref SQSQueue
PolicyDocument:
Statement:
- Action:
- 'SQS:ReceiveMessage'
- 'SQS:DeleteMessage'
- 'SQS:GetQueueAttributes'
Effect: Allow
Resource: !Ref SQSQueue
Principal:
AWS:
- !Ref IAMUser
SNSTopicSubscription:
Type: 'AWS::SNS::Subscription'
Properties:
Protocol: SQS
Endpoint: !GetAtt
- SQSQueue
- Arn
TopicArn: !Ref SNSTopic
我想允许IAMUser对SQSQueue资源执行SQS ReceiveMessage,DeleteMessage和GetQueueAttributes操作。 SQSQueue还应该订阅SNSTopic。
在CloudFormation中使用此模板创建堆栈时,SQSQueue,SNSTopic,SNSTopicSubscription,IAMUser和IAMUserPolicy都可以毫无问题地按该顺序创建。但是,SQSQueuePolicy无法创建并生成错误消息:
Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue; Request ID: {request id})
为什么会失败,以及如何修改模板以确保成功创建所有资源及其关联的策略/预订?
解决方法
以下内容将返回队列URL ,而不是ARN:
Resource: !Ref SQSQueue
但是您需要在策略中使用队列ARN :
Resource: !GetAtt SQSQueue.Arn
,
我在您的CloudFormation模板中发现了两个问题。
第一个,如Marcin所说,资源引用必须是队列ARN,而不是队列URL。
Resource: !GetAtt SQSQueue.Arn
第二个是您的AWS参考与您的IAM用户一起使用,但必须是账户ID。
Principal:
AWS:
- !Ref 'AWS::AccountId'
也就是说,我能够使用此CloudFormation模板在帐户中成功创建CloudFormation堆栈:
AWSTemplateFormatVersion: 2010-09-09
Description: Creates all resources necessary to send SES emails & track bounces/complaints through AWS
Resources:
IAMUser:
Type: 'AWS::IAM::User'
Properties:
UserName: iam-ses-sqs
SQSQueue:
Type: 'AWS::SQS::Queue'
Properties:
QueueName: ses-queue
SQSQueuePolicy:
Type: 'AWS::SQS::QueuePolicy'
Properties:
Queues:
- !Ref SQSQueue
PolicyDocument:
Statement:
- Action:
- 'SQS:ReceiveMessage'
- 'SQS:DeleteMessage'
- 'SQS:GetQueueAttributes'
Effect: Allow
Resource: !GetAtt SQSQueue.Arn
Principal:
AWS:
- !Ref 'AWS::AccountId'
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。