具有 SNS 权限的 Lambda 死信队列
Lambda Dead Letter Queue with SNS permissions
我正在尝试使用 Lambda 的死信队列。我已将其配置为将消息发送到 SNS 队列。我放入了一个不正确的处理程序来消除 Lambda 调用错误。错误消息永远不会到达 SNS 队列中。我相信这是一个权限问题。下面是我为 SNS 队列设置的访问策略
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-1:1234567:lambda-dlq",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "1234567"
}
}
}
]
}
lambda 函数附加了一个角色,该角色具有 sns:Publish、action 到 allow 和 resource 到 *
我错过了什么吗?邮件可能无法到达 DLQ 的任何其他原因?
我试图验证你的场景。我观察到在控制台中使用测试不会在 DLQ 中产生消息。
有效的方法是使用 CLI(尚未使用 CW Events 进行测试):
aws lambda invoke --function-name ffff --invocation-type Event --profile my-profile /dev/stdout
另外还有其他设置:
SNS 策略(与您的相同;默认)
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:xxxxxx:my-dlq-topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "xxxxxxx"
}
}
}
]
}
lambda 执行角色
为了简单起见,只添加了 arn:aws:iam::aws:policy/AmazonSNSFullAccess。
异步 lambda 设置
我正在尝试使用 Lambda 的死信队列。我已将其配置为将消息发送到 SNS 队列。我放入了一个不正确的处理程序来消除 Lambda 调用错误。错误消息永远不会到达 SNS 队列中。我相信这是一个权限问题。下面是我为 SNS 队列设置的访问策略
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-1:1234567:lambda-dlq",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "1234567"
}
}
}
]
}
lambda 函数附加了一个角色,该角色具有 sns:Publish、action 到 allow 和 resource 到 *
我错过了什么吗?邮件可能无法到达 DLQ 的任何其他原因?
我试图验证你的场景。我观察到在控制台中使用测试不会在 DLQ 中产生消息。
有效的方法是使用 CLI(尚未使用 CW Events 进行测试):
aws lambda invoke --function-name ffff --invocation-type Event --profile my-profile /dev/stdout
另外还有其他设置:
SNS 策略(与您的相同;默认)
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:xxxxxx:my-dlq-topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "xxxxxxx"
}
}
}
]
}
lambda 执行角色
为了简单起见,只添加了 arn:aws:iam::aws:policy/AmazonSNSFullAccess。
异步 lambda 设置