AWS SNS ConfirmSubscription 授权从未授予 IAM 用户
AWS SNS ConfirmSubscription authorization never granted to IAM user
目标:授予 IAM 用户权限以确认 SNS 主题订阅
问题:使用 AWS Web 控制台,我无法向 IAM 用户帐户授予适当的 SNS 权限,无论我附加什么许可策略。
已完成的步骤:我创建了一个主题,它跟踪对 S3 对象的更改并通过 SNS 订阅(HTTPS/JSON 调用)将该信息推送到我的应用程序。
我接收请求的代码:
def self.confirm(arn, token)
client = retrieve_client
client.confirm_subscription(topic_arn: arn, token: token)
end
def self.retrieve_client
creds = Aws::Credentials.new(
Rails.application.credentials.dig(:aws, :access_key_id),
Rails.application.credentials.dig(:aws, :secret_access_key)
)
Aws::SNS::Client.new(region: 'us-east-2', credentials: creds)
end
当我的代码收到 SNS 确认请求时,我收到此错误消息:
Aws::SNS::Errors::AuthorizationError (User: arn:aws:iam::12345678912:user/user_name is not authorized to perform: SNS:ConfirmSubscription on resource: arn:aws:sns:us-east-2:12345678912:topic_name because no boundary policy allows the SNS:ConfirmSubscription action)
以上代码适用于不同的应用程序(但不同的 IAM 用户),所以我不认为代码是罪魁祸首。
我试过向组添加策略,然后将用户添加到组,没有任何变化。
我已经求助于直接向用户添加策略,没有任何变化。
这是我尝试过的两个最宽松的策略,我不知道我可以授予该用户哪些其他一揽子权限来使此订阅确认生效。
主题:arn:aws:sns:us-east-2:12345678912:topic_name
主题访问策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-2:12345678912:topic_name
"StringEquals": {
"AWS:SourceAccount": "12345678912"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:*:*:*"
}
}
}
]
}
策略 1(来自 AWS Managed AmazonSNSFullAccess 策略):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
策略 2,我只需点击尽可能多的操作选项,看看是否有任何效果:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sns:TagResource",
"sns:DeleteTopic",
"sns:ListTopics",
"sns:Unsubscribe",
"sns:CreatePlatformEndpoint",
"sns:SetTopicAttributes",
"sns:UntagResource",
"sns:OptInPhoneNumber",
"sns:CheckIfPhoneNumberIsOptedOut",
"sns:ListEndpointsByPlatformApplication",
"sns:SetEndpointAttributes",
"sns:Publish",
"sns:DeletePlatformApplication",
"sns:SetPlatformApplicationAttributes",
"sns:VerifySMSSandboxPhoneNumber",
"sns:Subscribe",
"sns:ConfirmSubscription",
"sns:RemovePermission",
"sns:ListTagsForResource",
"sns:DeleteSMSSandboxPhoneNumber",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes",
"sns:ListSMSSandboxPhoneNumbers",
"sns:CreatePlatformApplication",
"sns:SetSMSAttributes",
"sns:CreateTopic",
"sns:GetPlatformApplicationAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListSubscriptions",
"sns:AddPermission",
"sns:ListOriginationNumbers",
"sns:DeleteEndpoint",
"sns:ListPhoneNumbersOptedOut",
"sns:GetEndpointAttributes",
"sns:SetSubscriptionAttributes",
"sns:GetSMSSandboxAccountStatus",
"sns:CreateSMSSandboxPhoneNumber",
"sns:ListPlatformApplications",
"sns:GetSMSAttributes"
],
"Resource": "*"
}
]
}
我完全不清楚还需要哪些其他政策才能为该用户提供确认 SNS 订阅所需的授权。
感谢 Marcin 提出的关于“边界策略”的问题,我了解到存在 IAM 边界策略的概念,它是什么,然后解决了我的问题。
在某些时候,当设置 IAM 用户时,边界策略附加到用户帐户,这排除了其他服务或组策略可能为该用户提供的任何其他策略。
因此,当我检查有问题的 IAM 用户时,我发现了一个只允许访问 AWS S3 服务的边界策略。此策略阻止了我为用户授予对 AWS SNS 服务的访问权限的努力。
删除边界策略后,IAM 用户设置现在显示为“权限边界(未设置)”并且 SNS 订阅确认按预期工作。
感谢您的帮助,Marcin!
目标:授予 IAM 用户权限以确认 SNS 主题订阅
问题:使用 AWS Web 控制台,我无法向 IAM 用户帐户授予适当的 SNS 权限,无论我附加什么许可策略。
已完成的步骤:我创建了一个主题,它跟踪对 S3 对象的更改并通过 SNS 订阅(HTTPS/JSON 调用)将该信息推送到我的应用程序。
我接收请求的代码:
def self.confirm(arn, token)
client = retrieve_client
client.confirm_subscription(topic_arn: arn, token: token)
end
def self.retrieve_client
creds = Aws::Credentials.new(
Rails.application.credentials.dig(:aws, :access_key_id),
Rails.application.credentials.dig(:aws, :secret_access_key)
)
Aws::SNS::Client.new(region: 'us-east-2', credentials: creds)
end
当我的代码收到 SNS 确认请求时,我收到此错误消息:
Aws::SNS::Errors::AuthorizationError (User: arn:aws:iam::12345678912:user/user_name is not authorized to perform: SNS:ConfirmSubscription on resource: arn:aws:sns:us-east-2:12345678912:topic_name because no boundary policy allows the SNS:ConfirmSubscription action)
以上代码适用于不同的应用程序(但不同的 IAM 用户),所以我不认为代码是罪魁祸首。
我试过向组添加策略,然后将用户添加到组,没有任何变化。
我已经求助于直接向用户添加策略,没有任何变化。
这是我尝试过的两个最宽松的策略,我不知道我可以授予该用户哪些其他一揽子权限来使此订阅确认生效。
主题:arn:aws:sns:us-east-2:12345678912:topic_name
主题访问策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-2:12345678912:topic_name
"StringEquals": {
"AWS:SourceAccount": "12345678912"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:*:*:*"
}
}
}
]
}
策略 1(来自 AWS Managed AmazonSNSFullAccess 策略):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
策略 2,我只需点击尽可能多的操作选项,看看是否有任何效果:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sns:TagResource",
"sns:DeleteTopic",
"sns:ListTopics",
"sns:Unsubscribe",
"sns:CreatePlatformEndpoint",
"sns:SetTopicAttributes",
"sns:UntagResource",
"sns:OptInPhoneNumber",
"sns:CheckIfPhoneNumberIsOptedOut",
"sns:ListEndpointsByPlatformApplication",
"sns:SetEndpointAttributes",
"sns:Publish",
"sns:DeletePlatformApplication",
"sns:SetPlatformApplicationAttributes",
"sns:VerifySMSSandboxPhoneNumber",
"sns:Subscribe",
"sns:ConfirmSubscription",
"sns:RemovePermission",
"sns:ListTagsForResource",
"sns:DeleteSMSSandboxPhoneNumber",
"sns:ListSubscriptionsByTopic",
"sns:GetTopicAttributes",
"sns:ListSMSSandboxPhoneNumbers",
"sns:CreatePlatformApplication",
"sns:SetSMSAttributes",
"sns:CreateTopic",
"sns:GetPlatformApplicationAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListSubscriptions",
"sns:AddPermission",
"sns:ListOriginationNumbers",
"sns:DeleteEndpoint",
"sns:ListPhoneNumbersOptedOut",
"sns:GetEndpointAttributes",
"sns:SetSubscriptionAttributes",
"sns:GetSMSSandboxAccountStatus",
"sns:CreateSMSSandboxPhoneNumber",
"sns:ListPlatformApplications",
"sns:GetSMSAttributes"
],
"Resource": "*"
}
]
}
我完全不清楚还需要哪些其他政策才能为该用户提供确认 SNS 订阅所需的授权。
感谢 Marcin 提出的关于“边界策略”的问题,我了解到存在 IAM 边界策略的概念,它是什么,然后解决了我的问题。
在某些时候,当设置 IAM 用户时,边界策略附加到用户帐户,这排除了其他服务或组策略可能为该用户提供的任何其他策略。
因此,当我检查有问题的 IAM 用户时,我发现了一个只允许访问 AWS S3 服务的边界策略。此策略阻止了我为用户授予对 AWS SNS 服务的访问权限的努力。
删除边界策略后,IAM 用户设置现在显示为“权限边界(未设置)”并且 SNS 订阅确认按预期工作。
感谢您的帮助,Marcin!