跨账号SNS主题发布
cross account SNS topic publish
我在帐户 A 中有一个 SNS 主题,该主题出错并发送到寻呼机任务
我有另一个账户 - 账户 B 中有多个服务、fargate、SQS 等,但我有多个 cloudwatch 警报/操作设置,用于向账户 A 中的此 SNS 主题发布警报
我在帐户 B(尝试访问跨帐户服务的帐户)上收到此错误
Failed to execute action
arn:aws:ACCOUNT-A:sns-topic.
Received error: "Resource:
arn:aws:cloudwatch:ACCOUNT-B
is not authorized to perform: SNS:Publish on resource:
ACCOUNT-A:sns"
这是我的账户 A 的 AWS CDK 代码
const accountATopic= new sns.Topic(this, 'accountATopic', {
displayName: 'accountATopic'
});
accountATopic.addSubscription(new snsSubscriptions.UrlSubscription('Externalurl'));
accountATopic.grantPublish(new iam.AccountPrincipal('ACCOUNTB'));
然后在帐户 B 中(不显示警报)
const ACCOUNTBTopic = sns.Topic.fromTopicArn(this, 'ACCOUNTBTopic ', 'ACCOUNT-A-ARN');
const action = new cloudwatchActions.SnsAction(ACCOUNTBTopic );
ACCOUNTBTopic .addToResourcePolicy(new PolicyStatement({
resources: ['ACCOUNT-A-ARN'],
actions: ['SNS:Publish'],
effect: Effect.ALLOW,
}))
对于将来遇到此问题的任何人 - 以下是我为使其正常工作所做的工作:
const accountATopic= new sns.Topic(this, 'accountATopic', {
displayName: 'accountATopic'
});
accountATopic.addSubscription(new snsSubscriptions.UrlSubscription('Externalurl'));
let snsPolicy = new PolicyStatement({effect:Effect.ALLOW,
resources:[accountATopic.topicArn],
actions:["SNS:Publish"],
principals:[
new AccountPrincipal('ACCOUNTB_ID'),
]
})
//or optionally:
//snsPolicy.addAnyPrincipal()
accountATopic.addToResourcePolicy(snsPolicy)
授权发布方法似乎不允许它工作,同样根据 AWS documentation 在跨帐户 SNS / CloudWatch 上,他们建议为条件添加组织 ID - 这对我不起作用并且已经删除它
我在帐户 A 中有一个 SNS 主题,该主题出错并发送到寻呼机任务
我有另一个账户 - 账户 B 中有多个服务、fargate、SQS 等,但我有多个 cloudwatch 警报/操作设置,用于向账户 A 中的此 SNS 主题发布警报
我在帐户 B(尝试访问跨帐户服务的帐户)上收到此错误
Failed to execute action arn:aws:ACCOUNT-A:sns-topic. Received error: "Resource: arn:aws:cloudwatch:ACCOUNT-B is not authorized to perform: SNS:Publish on resource: ACCOUNT-A:sns"
这是我的账户 A 的 AWS CDK 代码
const accountATopic= new sns.Topic(this, 'accountATopic', {
displayName: 'accountATopic'
});
accountATopic.addSubscription(new snsSubscriptions.UrlSubscription('Externalurl'));
accountATopic.grantPublish(new iam.AccountPrincipal('ACCOUNTB'));
然后在帐户 B 中(不显示警报)
const ACCOUNTBTopic = sns.Topic.fromTopicArn(this, 'ACCOUNTBTopic ', 'ACCOUNT-A-ARN');
const action = new cloudwatchActions.SnsAction(ACCOUNTBTopic );
ACCOUNTBTopic .addToResourcePolicy(new PolicyStatement({
resources: ['ACCOUNT-A-ARN'],
actions: ['SNS:Publish'],
effect: Effect.ALLOW,
}))
对于将来遇到此问题的任何人 - 以下是我为使其正常工作所做的工作:
const accountATopic= new sns.Topic(this, 'accountATopic', {
displayName: 'accountATopic'
});
accountATopic.addSubscription(new snsSubscriptions.UrlSubscription('Externalurl'));
let snsPolicy = new PolicyStatement({effect:Effect.ALLOW,
resources:[accountATopic.topicArn],
actions:["SNS:Publish"],
principals:[
new AccountPrincipal('ACCOUNTB_ID'),
]
})
//or optionally:
//snsPolicy.addAnyPrincipal()
accountATopic.addToResourcePolicy(snsPolicy)
授权发布方法似乎不允许它工作,同样根据 AWS documentation 在跨帐户 SNS / CloudWatch 上,他们建议为条件添加组织 ID - 这对我不起作用并且已经删除它