错误代码:AccessDeniedException。用户:arn:aws:iam::xxx:user/xxx 无权执行:lambda:CreateEventSourceMapping on reso
Posted
技术标签:
【中文标题】错误代码:AccessDeniedException。用户:arn:aws:iam::xxx:user/xxx 无权执行:lambda:CreateEventSourceMapping on resource:*【英文标题】:Error code: AccessDeniedException. User: arn:aws:iam::xxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: * 【发布时间】:2020-12-08 08:47:10 【问题描述】:这个问题与this有关:
设置:
账户 A(包含 SQS 队列)
账户B(包含将由账户A中的SQS队列触发的lambda函数)
这是账户 B 中的 lambda 资源策略
"Version": "2012-10-17",
"Id": "default",
"Statement": [
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::ACCOUNT-A:user/USER-ACCOUNT-A"
,
"Action": "lambda:*",
"Resource": "arn:aws:lambda:eu-north-1:ACCOUNT-B:function:FUNCTION-ACCOUNT-B"
,
"Effect": "Allow",
"Principal":
"Service": "sqs.amazonaws.com"
,
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-north-1:ACCOUNT B:function:FUNCTION-ACCOUNT-B",
"Condition":
"StringEquals":
"AWS:SourceAccount": ACCOUNT A
,
"ArnLike":
"AWS:SourceArn": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-ACCOUNT A"
]
这是账户 A 中的 SQS 权限策略
"Statement": [
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::ACCOUNT-A:root"
,
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
,
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::ACCOUNT-B:root"
,
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
,
"Sid": "Permission to LambdaRole",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::ACCOUNT-B:role/LAMBDA-EXECUTION-ROLE-ACCOUNT-B"
,
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage",
"SQS:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
]
当账户 A 中的用户尝试从 SQS 添加 lambda 触发器时,出现以下 AccessDenied 错误:
Error code: AccessDeniedException. Error message: User: arn:aws:iam::xxxxxxxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: *
我还尝试从 lambda 函数添加触发器(仅用于测试,因为这不是我想要的),但出现以下错误:
An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)
我的 Lambda 角色拥有“AmazonSQSFullAccess”权限。所以我真的不知道这里发生了什么。
有人可以帮忙吗?
更新
我在 SQS 权限策略中发现了一个错误,并解决了第二个错误:
An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)
但是,如前所述,我需要帐户 A 中的用户从 SQS 队列添加一个 lambda 触发器(这是我在上面发布的第一个错误),而不是相反。这可能吗?
【问题讨论】:
将完全访问策略附加到您正在使用的 Iam 角色 您能解释一下“完全访问策略”是什么意思吗?我已经拥有对我的 lambda 角色的 AmazonSQSFullAccess “errorType”:“AccessDeniedException”,“errorMessage”:“用户:arn:aws:sts::522394378604:assumed-role/chequebooks-qr-dev-eu-central-1-lambdaRole/ chequebooks-qr-dev-QrCodeGenerator 无权执行:lambda:CreateEventSourceMapping on resource: *", 我遇到了错误,任何人都可以帮助我应用 sqs 和 lambda 完全访问策略 【参考方案1】:您的 IAM 策略可能仅限于 lambda function 类型资源,但它也需要 event-source-mapping 资源。
"Resource": [
"arn:aws:lambda:*:<YOUR_ACCOUNT_ID>:function:*",
"arn:aws:lambda:*:<YOUR_ACCOUNT_ID>:event-source-mapping:*"
]
或者直接说 IAM 并选择 '*'。
资源列表可以在这里找到:Resources and conditions for Lambda actions
【讨论】:
以上是关于错误代码:AccessDeniedException。用户:arn:aws:iam::xxx:user/xxx 无权执行:lambda:CreateEventSourceMapping on reso的主要内容,如果未能解决你的问题,请参考以下文章