AWS SNS 主题子:Dead-letter 队列(重新驱动策略)权限被拒绝
AWS SNS Topic Sub: Dead-letter queue (redrive policy) permissions denied
我有一个 SNS 主题和订阅(实际上超过 1 个)设置以使用 SQS DLQ。但是每个人都告诉我我有政策错误。
我的 SNS 订阅设置了 DLQ:
我的队列存在:
我在 SQS 队列上设置了这个访问策略:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue"
},
{
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue",
"Condition": {
"ArnLike": {
"aws:SourceArn": [
"arn:aws:sns:eu-west-2:1234:aggregator-state",
"arn:aws:sns:eu-west-2:1234:rank-state-publication",
"arn:aws:sns:eu-west-2:1234:rank-state-categorisation"
]
}
}
}
]
}
我也试过在队列上有一个非常通用的访问策略:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue"
},
{
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:sns:eu-west-2:1234:*"
}
}
}
]
}
我在关注这个:https://docs.aws.amazon.com/sns/latest/dg/sns-configure-dead-letter-queue.html(第 5 步解释了设置策略)
其他参考:https://docs.aws.amazon.com/sns/latest/dg/sns-dead-letter-queues.html
我一定是做错了什么,或者遗漏了什么?我无法摆脱错误。
请参阅 ,其中指出尽管有错误消息,失败的消息仍会正确发送到 DLQ。
在我这边,我可以确认我在我的 DLQ 中收到了那些失败的消息,它的配置与您的一样(通过遵循相同的文档 https://docs.aws.amazon.com/sns/latest/dg/sns-configure-dead-letter-queue.html)。
我有一个 SNS 主题和订阅(实际上超过 1 个)设置以使用 SQS DLQ。但是每个人都告诉我我有政策错误。
我的 SNS 订阅设置了 DLQ:
我的队列存在:
我在 SQS 队列上设置了这个访问策略:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue"
},
{
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue",
"Condition": {
"ArnLike": {
"aws:SourceArn": [
"arn:aws:sns:eu-west-2:1234:aggregator-state",
"arn:aws:sns:eu-west-2:1234:rank-state-publication",
"arn:aws:sns:eu-west-2:1234:rank-state-categorisation"
]
}
}
}
]
}
我也试过在队列上有一个非常通用的访问策略:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue"
},
{
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:sns:eu-west-2:1234:*"
}
}
}
]
}
我在关注这个:https://docs.aws.amazon.com/sns/latest/dg/sns-configure-dead-letter-queue.html(第 5 步解释了设置策略)
其他参考:https://docs.aws.amazon.com/sns/latest/dg/sns-dead-letter-queues.html
我一定是做错了什么,或者遗漏了什么?我无法摆脱错误。
请参阅
在我这边,我可以确认我在我的 DLQ 中收到了那些失败的消息,它的配置与您的一样(通过遵循相同的文档 https://docs.aws.amazon.com/sns/latest/dg/sns-configure-dead-letter-queue.html)。