向 SNS 访问策略添加额外的 sns:Unsubscribe 会导致 InvalidParameter 错误
Adding additional sns:Unsubscribe to SNS access policy results in InvalidParameter error
这个让人头疼:
sns_policy = {
"Version":"2012-10-17",
"Statement":[{
"Effect" : "Allow",
"Principal" : { "AWS": "*" },
"Action" : ["sns:Publish", "sns:ListSubscriptionsByTopic", "sns:Unsubscribe"],
"Resource" : "arn:aws:sns:us-west-2:234234234:test",
"Condition" : {
"ArnEquals" : {
"aws:SourceArn" : "arn:aws:lambda:us-west-2:234234234:function:*"
}
}
}]
}
sns.set_topic_attributes(TopicArn = "arn:aws:sns:us-west-2:234234234:test",
AttributeName = "Policy",
AttributeValue = json.dumps(sns_policy)
)
添加第三个 Action 数组项,sns:Unsubscribe 结果为 Invalid parameter: Policy statement action out of service scope! (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter;,删除 sns:Unsubscribe 效果很好。
为什么 AWS 不允许这样做?我需要我的 lambda 函数才能订阅和取消订阅 SNS::test 主题的队列。
根据 Special Information for Amazon SNS Policies,sns:Unsubscribe 未列为有效的 SNS 策略操作。
根据 Boto3 documentation 尝试使用 client.unsubscribe(SubscriptionArn='string')。
这个让人头疼:
sns_policy = {
"Version":"2012-10-17",
"Statement":[{
"Effect" : "Allow",
"Principal" : { "AWS": "*" },
"Action" : ["sns:Publish", "sns:ListSubscriptionsByTopic", "sns:Unsubscribe"],
"Resource" : "arn:aws:sns:us-west-2:234234234:test",
"Condition" : {
"ArnEquals" : {
"aws:SourceArn" : "arn:aws:lambda:us-west-2:234234234:function:*"
}
}
}]
}
sns.set_topic_attributes(TopicArn = "arn:aws:sns:us-west-2:234234234:test",
AttributeName = "Policy",
AttributeValue = json.dumps(sns_policy)
)
添加第三个 Action 数组项,sns:Unsubscribe 结果为 Invalid parameter: Policy statement action out of service scope! (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter;,删除 sns:Unsubscribe 效果很好。
为什么 AWS 不允许这样做?我需要我的 lambda 函数才能订阅和取消订阅 SNS::test 主题的队列。
根据 Special Information for Amazon SNS Policies,sns:Unsubscribe 未列为有效的 SNS 策略操作。
根据 Boto3 documentation 尝试使用 client.unsubscribe(SubscriptionArn='string')。