Aws lambda 无法读取加密队列

Question

所以我有一个启用了 kms 加密的队列。 kms 政策工作正常。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${account}:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow sns to use key",
      "Effect": "Allow",
      "Principal": {
        "Service": ["sns.amazonaws.com", "lambda.amazonaws.com"],
        "AWS": "${role}"
      },
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}

但是我的 lambda 无法访问 sqs 队列，每次它尝试拉出消息时都会抱怨访问被 KMS 拒绝。我没有权限

我已经为我的 lambda 设置了如下策略：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:SendMessage"
      ],
      "Resource": [
        "arn:aws:sqs:xxx-1:xxxx:queue",
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "sqs:DeleteMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": [
        "arn:aws:sqs:xxx-1:xxx:queue"
      ]
    },
    {
      "Sid": "KMSDecryption",
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": [
        "${kmsARN}"
      ]
    }
  ]
}

任何人都知道如何配置我的 lambda 以访问队列。我有很多 lambda 需要访问队列。我怎样才能让他们访问 KMS 以轮询消息，lambda 在节点中写入..我必须在代码中完成吗？

Answer 1

问题指向错误的 arn。上述政策是正确的。