我正在编写一个Python应用程序,从账户A中提取数据并发送到账户B中的SQS队列中,当lambda函数执行时,它返回以下错误。
"errorMessage": "当调用SendMessage操作时,发生了一个错误(AccessDenied)。对资源的访问 https:/eu-central-1.queue.amazonaws.com。 是拒绝的。"。
如果我在同一个账户中使用SQS队列,它就会工作。
我使用的是 无服务器框架 而我需要使用 外部ID 在跨账户角色中。
我已经做了什么。
在账户A中(Lambda函数执行的地方)。
下面的功能是使用Serverless框架部署的。
TotalCollectorWeekToDate:
handler: environment.total_wtd_summary_handler
module: collectors
memorySize: 128
role: arn:aws:iam::<ACCOUNT_A>:role/FunctionsLambdaRole
timeout: 30
events:
- schedule:
rate: cron(0 7 * * ? *)
enabled: true
environment:
COST_DATA_SQS_QUEUE_URL: https://sqs.eu-central-1.amazonaws.com/<ACCOUNT_B>/prod-analyser-queue
角色
Resources:
FunctionsLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: FunctionsLambdaRole
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: "sts:AssumeRole"
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Policies:
- PolicyName: logs
PolicyDocument:
Statement:
Effect: Allow
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "arn:aws:logs:*:*:*"
- PolicyName: lambda
PolicyDocument:
Statement:
Effect: Allow
Action:
- "lambda:InvokeFunction"
Resource: "*"
- PolicyName: VPCAccess
PolicyDocument:
Statement:
Effect: Allow
Action:
- "ec2:CreateNetworkInterface"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DeleteNetworkInterface"
Resource: "*"
- PolicyName: CostExplorerAccess
PolicyDocument:
Statement:
Effect: Allow
Action:
- "ce:*"
Resource: "*"
- PolicyName: AssumeCostAnalyserDelegatedAccessRole
PolicyDocument:
Statement:
Effect: Allow
Action:
- "sts:AssumeRole"
Resource: "arn:aws:iam::<ACCCOUNT-B>:role/DelegatedAccessRole"
在账户B中(SQS队列所在)
角色
Resources:
DelegatedAccessPolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: DelegatedAccessPolicy
Path: /
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sqs:SendMessage
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- sqs:ListQueues
Resource: arn:aws:sqs:eu-central-1:<ACCCOUNT-B>:prod-analyser-queue
DelegatedAccessRole:
Type: AWS::IAM::Role
DeletionPolicy: Delete
Properties:
RoleName: DelegatedAccessRole
Path: "/"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !Ref TrustedEntities
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: !Ref ExternalId
ManagedPolicyArns:
- { "Fn::GetAtt" : ["DelegatedAccessPolicy", "Arn"]}
SQS
DataPushQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: prod-analyser-queue
DelaySeconds: 5
MaximumMessageSize: 262144
MessageRetentionPeriod: 345600
VisibilityTimeout: 600
DataPushQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::<ACCCOUNT-B>:role/DelegatedAccessRole
Action:
- sqs:SendMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- sqs:ListQueues
- sqs:ReceiveMessage
- sqs:SetQueueAttributes
Resource: { "Fn::GetAtt" : ["DataPushQueue", "Arn"]}
Queues:
- !Ref DataPushQueue
与其在账户B中创建一个IAM角色,最简洁的方法是。
SendMessage
帐户-B中的SQS队列来自 亚马逊SQS政策的基本例子:
以下策略示例授予AWS帐号
111122223333
的SendMessage
的队列的权限。444455556666/queue1
在美东(俄亥俄)地区。{ "Version": "2012-10-17", "Id": "Queue1_Policy_UUID", "Statement": [{ "Sid":"Queue1_SendMessage", "Effect": "Allow", "Principal": { "AWS": [ "111122223333" ] }, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-2:444455556666:queue1" }] }
这比扮演一个角色容易得多。