我有一个 lambda,其角色具有对 SQS 的完全访问权限,但我仍然无法向 SQS 发送消息
I have a lambda with a role that has full access to SQS but I still can't send messages to SQS
求助,我被AWS打败了...
我有一个具有以下权限的 lambda。
sqs 基于资源的策略和服务角色都没有任何 Deny 语句。 lambda 应该向另一个 SQS 队列发送消息,但它不能,我只是收到这个错误
{
"code": "AccessDenied",
"time": "2021-06-03T20:50:09.722Z",
"requestId": "62e15127-9f9b-527f-b1a8-0814dd5a5c9a",
"statusCode": 403,
"retryable": false,
"retryDelay": 47.17774745450638,
"level": "error",
"message": "Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.",
"timestamp": "2021-06-03T20:50:09.723Z"
}
执行此操作的 lambda 代码(此代码通常在多个文件中)
import { SQSEvent } from 'aws-lambda';
import { isLeft } from 'fp-ts/lib/Either';
import { first } from 'lodash';
import reporter from 'io-ts-reporters';
import ExitWithSuccess from 'Entities/ExitWithSuccess';
import { error } from '@mvf/logger';
import { SQS } from 'aws-sdk';
import Event from './Event';
const sqsClient = new SQS({
region: 'eu-west-1',
});
const delayed = {
client: sqsClient,
url: 'https://sqs.eu-west-1.amazonaws.com/<account>/event_dispatcher_delayed_messages',
};
type ISqsClient = typeof delayed;
interface SqsOperations {
sendMessage(body: Record<string, unknown>): Promise<unknown>;
}
const sqs = {
instance: ({ client, url }: ISqsClient): SqsOperations => ({
sendMessage: (body: Record<string, unknown>) =>
client
.sendMessage({ QueueUrl: url, MessageBody: JSON.stringify(body) })
.promise(),
}),
delayed,
};
const lambda = async (event: SQSEvent): Promise<void> => {
const record = first(event.Records);
if (!record) {
throw new ExitWithSuccess(error, 'lambda was invoked without any records');
}
const maybeEvent = Event.decode(JSON.parse(record.body));
if (isLeft(maybeEvent)) {
throw new ExitWithSuccess(error, 'invalid record body', {
typeErrors: reporter.report(maybeEvent),
});
}
await sqs.instance(delayed).sendMessage(maybeEvent.right);
};
export default lambda;
我已经在这上面花了 3 天了,有没有人遇到过类似的问题?
怎么可能拥有对资源的完全访问权限,但仍然无法与之交互?
非常感谢任何关于这里发生的事情的提示、建议或想法。
SQS 队列是否有明确拒绝访问的基于资源的策略?
SQS队列是否与Lambda函数在同一个账户?否则,您也需要允许跨帐户访问。
求助,我被AWS打败了...
我有一个具有以下权限的 lambda。
sqs 基于资源的策略和服务角色都没有任何 Deny 语句。 lambda 应该向另一个 SQS 队列发送消息,但它不能,我只是收到这个错误
{
"code": "AccessDenied",
"time": "2021-06-03T20:50:09.722Z",
"requestId": "62e15127-9f9b-527f-b1a8-0814dd5a5c9a",
"statusCode": 403,
"retryable": false,
"retryDelay": 47.17774745450638,
"level": "error",
"message": "Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.",
"timestamp": "2021-06-03T20:50:09.723Z"
}
执行此操作的 lambda 代码(此代码通常在多个文件中)
import { SQSEvent } from 'aws-lambda';
import { isLeft } from 'fp-ts/lib/Either';
import { first } from 'lodash';
import reporter from 'io-ts-reporters';
import ExitWithSuccess from 'Entities/ExitWithSuccess';
import { error } from '@mvf/logger';
import { SQS } from 'aws-sdk';
import Event from './Event';
const sqsClient = new SQS({
region: 'eu-west-1',
});
const delayed = {
client: sqsClient,
url: 'https://sqs.eu-west-1.amazonaws.com/<account>/event_dispatcher_delayed_messages',
};
type ISqsClient = typeof delayed;
interface SqsOperations {
sendMessage(body: Record<string, unknown>): Promise<unknown>;
}
const sqs = {
instance: ({ client, url }: ISqsClient): SqsOperations => ({
sendMessage: (body: Record<string, unknown>) =>
client
.sendMessage({ QueueUrl: url, MessageBody: JSON.stringify(body) })
.promise(),
}),
delayed,
};
const lambda = async (event: SQSEvent): Promise<void> => {
const record = first(event.Records);
if (!record) {
throw new ExitWithSuccess(error, 'lambda was invoked without any records');
}
const maybeEvent = Event.decode(JSON.parse(record.body));
if (isLeft(maybeEvent)) {
throw new ExitWithSuccess(error, 'invalid record body', {
typeErrors: reporter.report(maybeEvent),
});
}
await sqs.instance(delayed).sendMessage(maybeEvent.right);
};
export default lambda;
我已经在这上面花了 3 天了,有没有人遇到过类似的问题? 怎么可能拥有对资源的完全访问权限,但仍然无法与之交互?
非常感谢任何关于这里发生的事情的提示、建议或想法。
SQS 队列是否有明确拒绝访问的基于资源的策略?
SQS队列是否与Lambda函数在同一个账户?否则,您也需要允许跨帐户访问。