S3 事件的 Cloudformation SQS 策略
Cloudformation SQS Policy for S3 events
我正在尝试为 SQS 队列创建一个策略,该策略将允许任何 S3 存储桶将事件发送到队列。我似乎无法为特定的 S3 队列执行此操作,因为我最终会遇到循环依赖关系。
我已经创建了一个 cloudformation 模板来创建队列和策略,但是当我尝试手动设置 S3 存储桶来发送事件时,我收到一条消息说
Permissions on the destination queue do not allow S3 to publish
notifications from this bucket
我用来创建策略的模板部分是:
"SQSNotifcationFromS3" : {
"Type" : "AWS::SQS::QueuePolicy",
"DependsOn" : "S3Notifications",
"Properties" : {
"PolicyDocument" : {
"Version": "2012-10-17",
"Id": "SQSIDsimon",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:*",
"Resource": { "Ref" : "S3Notifications"}
}
]
},
"Queues" : [ { "Ref" : "S3Queue" } ]
}
}
在AWS控制台中,您是否确认队列已成功授予s3存储桶权限?在 SQS 中,select 队列并查看权限选项卡。
查看上面的模板片段,我不确定 "S3Notifications" 指向什么,但我假设它是 S3 存储桶。 SQS 策略文档 "Resource" 应该是 S3 存储桶的 ARN。 S3 存储桶上的 "Ref" 函数的参考值为 "Name"。我相信你需要 ARN。
参见:http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html
和:http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html
最后,我找到了解决方案 - 我在 SQS 上设置了权限,以便任何 S3 存储桶都可以将事件添加到队列中:
"S3EventQueuePolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"DependsOn" : [ "S3EventQueue" ],
"Properties" : {
"PolicyDocument" : {
"Id": "SQSPolicy",
"Statement": [
{
"Sid": "SQSEventPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:*",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::*"
}
}
}
]
},
"Queues" : [ { "Ref" : "S3EventQueue"} ]
}
},
我正在尝试为 SQS 队列创建一个策略,该策略将允许任何 S3 存储桶将事件发送到队列。我似乎无法为特定的 S3 队列执行此操作,因为我最终会遇到循环依赖关系。
我已经创建了一个 cloudformation 模板来创建队列和策略,但是当我尝试手动设置 S3 存储桶来发送事件时,我收到一条消息说
Permissions on the destination queue do not allow S3 to publish notifications from this bucket
我用来创建策略的模板部分是:
"SQSNotifcationFromS3" : {
"Type" : "AWS::SQS::QueuePolicy",
"DependsOn" : "S3Notifications",
"Properties" : {
"PolicyDocument" : {
"Version": "2012-10-17",
"Id": "SQSIDsimon",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:*",
"Resource": { "Ref" : "S3Notifications"}
}
]
},
"Queues" : [ { "Ref" : "S3Queue" } ]
}
}
在AWS控制台中,您是否确认队列已成功授予s3存储桶权限?在 SQS 中,select 队列并查看权限选项卡。
查看上面的模板片段,我不确定 "S3Notifications" 指向什么,但我假设它是 S3 存储桶。 SQS 策略文档 "Resource" 应该是 S3 存储桶的 ARN。 S3 存储桶上的 "Ref" 函数的参考值为 "Name"。我相信你需要 ARN。
参见:http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html
和:http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html
最后,我找到了解决方案 - 我在 SQS 上设置了权限,以便任何 S3 存储桶都可以将事件添加到队列中:
"S3EventQueuePolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"DependsOn" : [ "S3EventQueue" ],
"Properties" : {
"PolicyDocument" : {
"Id": "SQSPolicy",
"Statement": [
{
"Sid": "SQSEventPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:*",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::*"
}
}
}
]
},
"Queues" : [ { "Ref" : "S3EventQueue"} ]
}
},