AmazonIpSpaceChanged 在不同区域的 SNS 订阅错误
SNS subscription error for AmazonIpSpaceChanged on different region
为什么我无法在AmazonIpSpaceChanged 上订阅SNS?请检查,我需要你的指导。
我基本上遵循的指南是来自 AWS 安全博客的 How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda。
这是终端的输出:
➜ terminal $ cat ~/.aws/config
[default]
region = ap-southeast-1
➜ terminal $ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-1:accountid_removed:function:cloudfront-securitygroup-controller
An error occurred (InvalidParameter) when calling the Subscribe operation: Invalid parameter: TopicArn
➜ terminal $ AWS_REGION=ap-southeast-1 aws sns subscribe --topic-arn arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-1:accountid_removed:function:cloudfront-securitygroup-controller
An error occurred (AuthorizationError) when calling the Subscribe operation: User: arn:aws:iam::accountid_removed:user/removed@gmail.com is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged
这也是通过 AWS Web 控制台完成时的输出:
User: arn:aws:iam::accountid_removed:user/removed@gmail.com is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 0e87384a-e298-569e-bf2d-6a5718eedc40)
错误是因为您的 API 调用必须对 Amazon SNS 主题所在的 us-east-1 区域进行。
$ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol email --notification-endpoint xyzzy@mailinator.com --region us-east-1
{
"SubscriptionArn": "pending confirmation"
}
似乎在不同区域订阅 AWS Lambda 函数也有效(或者,至少没有 return 错误):
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-2:123456789012:foo --region us-east-1
{
"SubscriptionArn": "arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged:37dab281-1e8f-16ba-8e4a-ef9de429101b"
}
这也可以通过 CloudFormation 使用(新的)Region 参数实现。
CloudFormation (json) SNS 资源的代码片段:
"LambdaAmazonIpSpaceChangedSubscription" : {
"Type" : "AWS::SNS::Subscription",
"Properties" : {
"Endpoint" : {"Fn::GetAtt" : ["LambdaFunction", "Arn"] },
"Protocol" : "lambda",
"TopicArn" : "arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged",
"Region": "us-east-1"
}
},
为什么我无法在AmazonIpSpaceChanged 上订阅SNS?请检查,我需要你的指导。
我基本上遵循的指南是来自 AWS 安全博客的 How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda。
这是终端的输出:
➜ terminal $ cat ~/.aws/config [default] region = ap-southeast-1 ➜ terminal $ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-1:accountid_removed:function:cloudfront-securitygroup-controller An error occurred (InvalidParameter) when calling the Subscribe operation: Invalid parameter: TopicArn ➜ terminal $ AWS_REGION=ap-southeast-1 aws sns subscribe --topic-arn arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-1:accountid_removed:function:cloudfront-securitygroup-controller An error occurred (AuthorizationError) when calling the Subscribe operation: User: arn:aws:iam::accountid_removed:user/removed@gmail.com is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged
这也是通过 AWS Web 控制台完成时的输出:
User: arn:aws:iam::accountid_removed:user/removed@gmail.com is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:ap-southeast-1:806199016981:AmazonIpSpaceChanged (Service: AmazonSNS; Status Code: 403; Error Code: AuthorizationError; Request ID: 0e87384a-e298-569e-bf2d-6a5718eedc40)
错误是因为您的 API 调用必须对 Amazon SNS 主题所在的 us-east-1 区域进行。
$ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol email --notification-endpoint xyzzy@mailinator.com --region us-east-1
{
"SubscriptionArn": "pending confirmation"
}
似乎在不同区域订阅 AWS Lambda 函数也有效(或者,至少没有 return 错误):
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged --protocol lambda --notification-endpoint arn:aws:lambda:ap-southeast-2:123456789012:foo --region us-east-1
{
"SubscriptionArn": "arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged:37dab281-1e8f-16ba-8e4a-ef9de429101b"
}
这也可以通过 CloudFormation 使用(新的)Region 参数实现。
CloudFormation (json) SNS 资源的代码片段:
"LambdaAmazonIpSpaceChangedSubscription" : {
"Type" : "AWS::SNS::Subscription",
"Properties" : {
"Endpoint" : {"Fn::GetAtt" : ["LambdaFunction", "Arn"] },
"Protocol" : "lambda",
"TopicArn" : "arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged",
"Region": "us-east-1"
}
},