如何设置 S3 事件对 SNS 主题的权限?
How to setup permissions for S3 event to SNS topic?
我正在尝试在 S3 存储桶(名为 testBucket)上创建事件,以便每次创建新对象时,都会向 SNS 发送一条消息。
我做了一些研究并补充说:
"ArnLike": {"aws:SourceArn": "arn:aws:s3:*:*:testBucket"}
目标主题的政策。
但是,当我尝试创建活动时,它仍然显示:Permissions on the destination topic do not allow S3 to publish notifications from this bucket。
有什么想法吗?
我认为您需要允许 S3 存储桶拥有者发布您的主题。我通常首先通过允许每个人发布主题来测试功能,然后再添加更多 selective 政策细节。
如果您在 AWS 控制台中 select 您的 SNS 主题,然后选择其他主题操作,然后选择 select 编辑主题策略,然后您将看到基本视图选项卡。在 "Allow these users to publish messages to this topic" 节下,select 大家一起保存。接下来将事件添加到 S3 并验证基本的事件发布工作。然后您可以稍后使用高级视图锁定详细的策略更改。
问题已解决。在我在默认语句中添加条件行之前:
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:testBucket"
}
原来我必须创建一个包含 publish 操作的新语句。
{
"Sid": "publish-from-s3",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:ap-southeast-2:XXXXXXXXXXXXXX:testTopicforS3",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:testBucket"
}
}
}
是的,创建SNS后,修改它添加一条语句(在默认一条之后):
{
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "your sns arn"
},
{
"Sid": "s3",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "your sns arn"
}
]
}
不要添加新语句,而是将 "Service": "s3.awsamazon.com" 放在 Principal 中。
所以它看起来像:
Statement: [
{
"Sid": "publish-from-s3",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com", # ADD THIS!
"AWS": <AWS_Account_Name_for_Access>
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:ap-southeast-2:XXXXXXXXXXXXXX:testTopicforS3",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:*"
}
}
}
]
"Principal":
{
"Service": "s3.amazonaws.com"
}
&
"ArnLike":
{
"aws:SourceArn": "arn:aws:s3:*:*:Bucket_name"
}
很重要。
如果您希望帐户中的任何存储桶能够发布或订阅该主题(是的,这是一个更通用的解决方案,因此安全性较低,但如果您 运行 陷入循环依赖问题尝试允许存储桶能够发布到主题并将存储桶中的订阅添加到主题,这将有所帮助):
{
"Id": "your-topic-policy-id",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement-id",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": ["sns:Publish", "sns:Subscribe"],
"Resource": "your-sns-topic-arn",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "account-id"
}
}
}
]
}
我正在尝试在 S3 存储桶(名为 testBucket)上创建事件,以便每次创建新对象时,都会向 SNS 发送一条消息。
我做了一些研究并补充说:
"ArnLike": {"aws:SourceArn": "arn:aws:s3:*:*:testBucket"}
目标主题的政策。
但是,当我尝试创建活动时,它仍然显示:Permissions on the destination topic do not allow S3 to publish notifications from this bucket。
有什么想法吗?
我认为您需要允许 S3 存储桶拥有者发布您的主题。我通常首先通过允许每个人发布主题来测试功能,然后再添加更多 selective 政策细节。
如果您在 AWS 控制台中 select 您的 SNS 主题,然后选择其他主题操作,然后选择 select 编辑主题策略,然后您将看到基本视图选项卡。在 "Allow these users to publish messages to this topic" 节下,select 大家一起保存。接下来将事件添加到 S3 并验证基本的事件发布工作。然后您可以稍后使用高级视图锁定详细的策略更改。
问题已解决。在我在默认语句中添加条件行之前:
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:testBucket"
}
原来我必须创建一个包含 publish 操作的新语句。
{
"Sid": "publish-from-s3",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:ap-southeast-2:XXXXXXXXXXXXXX:testTopicforS3",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:testBucket"
}
}
}
是的,创建SNS后,修改它添加一条语句(在默认一条之后):
{
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:Receive",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "your sns arn"
},
{
"Sid": "s3",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "your sns arn"
}
]
}
不要添加新语句,而是将 "Service": "s3.awsamazon.com" 放在 Principal 中。
所以它看起来像:
Statement: [
{
"Sid": "publish-from-s3",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com", # ADD THIS!
"AWS": <AWS_Account_Name_for_Access>
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:ap-southeast-2:XXXXXXXXXXXXXX:testTopicforS3",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:*"
}
}
}
]
"Principal":
{
"Service": "s3.amazonaws.com"
}
&
"ArnLike":
{
"aws:SourceArn": "arn:aws:s3:*:*:Bucket_name"
}
很重要。
如果您希望帐户中的任何存储桶能够发布或订阅该主题(是的,这是一个更通用的解决方案,因此安全性较低,但如果您 运行 陷入循环依赖问题尝试允许存储桶能够发布到主题并将存储桶中的订阅添加到主题,这将有所帮助):
{
"Id": "your-topic-policy-id",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement-id",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": ["sns:Publish", "sns:Subscribe"],
"Resource": "your-sns-topic-arn",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "account-id"
}
}
}
]
}