我有一个 EC2 实例,其角色附加了以下 IAM 策略:
{
"Statement": [
... other Allow statements here
{
"Action": "sqs:*",
"Effect": "Allow",
"Resource": [
"arn:aws:sqs:us-east-1:us-east-1:111111111111:automation-document-dev"
]
}
],
"Version": "2012-10-17"
}
automation-document-dev
SQS 访问政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSQSS3BucketNotification",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:111111111111:automation-document-dev",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:s3:::doc-storage-dev"
}
}
}
]
}
当我通过 SSH 连接到 EC2 实例并执行时
aws sqs get-queue-url --queue-name automation-document-dev
我收到此错误:
An error occurred (AWS.SimpleQueueService.NonExistentQueue) when calling the GetQueueUrl operation:
The specified queue does not exist or you do not have access to it.
我在这里缺少什么? IAM 角色/策略看起来应该拥有访问队列所需的所有权限(我使用
get-queue-url
操作作为测试)。据我所知,只要EC2实例角色有权使用该服务,我就不需要更改SQS的访问策略。
我看到您授予的唯一权限是“sqs:SendMessage”,但您正在使用不同的操作“get-queue-url”,它需要权限“sqs:GetQueueUrl” - 尝试授予该权限,然后查看它是否有效.