当前位置: 首页 > 知识库问答 >
问题:

对资源的访问https://sqs.us-east-1.amazonaws.com/被拒绝

李昊苍
2023-03-14

有很多人提到这个错误,但是,

下面是为lambda(AWS::Serverless::Function)创建的执行角色:

{
  "permissionsBoundary": {
    "permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
    "permissionsBoundaryType": "Policy"
  },
  "roleName": “some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
  "policies": [
    {
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "logs:CreateLogGroup",
              "logs:CreateLogStream",
              "logs:PutLogEvents"
            ],
            "Resource": "*"
          }
        ]
      },
      "name": "AWSLambdaBasicExecutionRole",
      "id": "ANDDDDDC42545SKXIK",
      "type": "managed",
      "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
    }
  ],
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

其中某些权限边界是

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:111222333444:log-group:*"
            ],
            "Effect": "Allow",
        },
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}

Lambda执行以下操作:

async function sendToQueue(message) {
  const params = {
    MessageBody: JSON.stringify(message),
    QueueUrl: process.env.queueUrl
  };
  return new Promise((resolve, reject) =>
    sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
  );
}

这就产生了错误:

"errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
    "errorType": "AccessDenied",

我们为sqs:某些权限边界中跨帐户的任何队列提供了actions:

为什么lambda无法将消息发送到队列?


共有2个答案

阎彬炳
2023-03-14

我也有同样的问题,但是无服务器FW。在控制台抛出此错误:

`API: sqs:CreateQueue Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.`

我从无服务器代理在自定义角色中添加权限。我使用此代理的权限(我希望有人能帮助您)

{
   "Version": "2012-10-17",
   "Statement": [
    {
        "Action": [
            "apigateway:*",
            "cloudformation:CancelUpdateStack",
            "cloudformation:ContinueUpdateRollback",
            "cloudformation:CreateChangeSet",
            "cloudformation:CreateStack",
            "cloudformation:CreateUploadBucket",
            "cloudformation:DeleteStack",
            "cloudformation:Describe*",
            "cloudformation:EstimateTemplateCost",
            "cloudformation:ExecuteChangeSet",
            "cloudformation:Get*",
            "cloudformation:List*",
            "cloudformation:UpdateStack",
            "cloudformation:UpdateTerminationProtection",
            "cloudformation:ValidateTemplate",
            "dynamodb:CreateTable",
            "dynamodb:DeleteTable",
            "dynamodb:DescribeTable",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:UpdateTimeToLive",
            "ec2:AttachInternetGateway",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CreateInternetGateway",
            "ec2:CreateNetworkAcl",
            "ec2:CreateNetworkAclEntry",
            "ec2:CreateRouteTable",
            "ec2:CreateSecurityGroup",
            "ec2:CreateSubnet",
            "ec2:CreateTags",
            "ec2:CreateVpc",
            "ec2:DeleteInternetGateway",
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteRouteTable",
            "ec2:DeleteSecurityGroup",
            "ec2:DeleteSubnet",
            "ec2:DeleteVpc",
            "ec2:Describe*",
            "ec2:DetachInternetGateway",
            "ec2:ModifyVpcAttribute",
            "events:DeleteRule",
            "events:DescribeRule",
            "events:ListRuleNamesByTarget",
            "events:ListRules",
            "events:ListTargetsByRule",
            "events:PutRule",
            "events:PutTargets",
            "events:RemoveTargets",
            "iam:AttachRolePolicy",
            "iam:CreateRole",
            "iam:DeleteRole",
            "iam:DeleteRolePolicy",
            "iam:DetachRolePolicy",
            "iam:GetRole",
            "iam:PassRole",
            "iam:PutRolePolicy",
            "iot:CreateTopicRule",
            "iot:DeleteTopicRule",
            "iot:DisableTopicRule",
            "iot:EnableTopicRule",
            "iot:ReplaceTopicRule",
            "kinesis:CreateStream",
            "kinesis:DeleteStream",
            "kinesis:DescribeStream",
            "lambda:*",
            "logs:CreateLogGroup",
            "logs:DeleteLogGroup",
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams",
            "logs:FilterLogEvents",
            "logs:GetLogEvents",
            "logs:PutLogEvents",
            "logs:PutSubscriptionFilter",
            "logs:CreateLogStream",
            "s3:CreateBucket",
            "s3:DeleteBucket",
            "s3:DeleteBucketPolicy",
            "s3:DeleteObject",
            "s3:DeleteObjectVersion",
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:PutBucketNotification",
            "s3:PutBucketPolicy",
            "s3:PutBucketTagging",
            "s3:PutBucketWebsite",
            "s3:PutEncryptionConfiguration",
            "s3:PutObject",
            "sns:CreateTopic",
            "sns:DeleteTopic",
            "sns:GetSubscriptionAttributes",
            "sns:GetTopicAttributes",
            "sns:ListSubscriptions",
            "sns:ListSubscriptionsByTopic",
            "sns:ListTopics",
            "sns:SetSubscriptionAttributes",
            "sns:SetTopicAttributes",
            "sns:Subscribe",
            "sns:Unsubscribe",
            "sqs:CreateQueue",
            "sqs:ReceiveMessage",
            "sqs:DeleteMessage",
            "sqs:GetQueueAttributes",
            "states:CreateStateMachine",
            "states:DeleteStateMachine"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }
]}

此权限(没有sqs*),建议从无服务器FW文档

葛承教
2023-03-14

权限边界是使用托管策略设置基于标识的策略可授予IAM实体的最大权限的高级功能。

实体的权限边界允许它只执行其基于标识的策略和权限边界允许的操作。

资料来源:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

您确实在权限边界中包含sqs:*但在lambda执行角色的策略中未包含任何与sqs相关的操作。

您应该将具有sqs权限的策略附加到lambda执行角色:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}
 类似资料:
  • 我正在按照这个链接创建我的第一个docker映像,它成功了,现在我正在尝试从这个链接将此映像推送到我的docker存储库中。但是每当我试图将此映像推送到存储库时,我都会遇到此类错误。 注意:我已成功登录docker

  • 我按照这个链接创建我的第一个docker映像,它成功了,现在我正试图从这个链接将这个映像推送到我的docker存储库中。但每当我试图将此图像推入存储库时,就会出现这种类型的错误。 有人能给我一些关于这个问题的提示吗?任何帮助都将不胜感激。 注意:我已成功登录docker

  • 我试图设置跨帐户数据搬迁从AWS帐户A的AWS Lambda到SQS在AWS帐户B使用boto3。以下是我遵循的步骤。 在帐户A中创建了一个IAM角色,该角色对帐户B中的SQS队列具有“SendMessage”访问权限。(给定帐户B的SQS队列的ARN) 在帐户A中IAM角色的信任关系中添加了AWS帐户B的帐户ID。 将此IAM角色附加到Lambda函数,并编写代码,使用SQS队列URL将消息发送

  • 我尝试了所有命令来推送我的映像docker集线器,但失败了。每次我都遇到相同的问题 请帮帮我。。。。

  • 调用新SP-API AMAZON时出现问题。我正在使用亚马逊提供的C#库。 https://github.com/amzn/selling-partner-api-models/tree/main/clients/sellingpartner-api-aa-csharp! 资源api:https://sandbox.sellingpartnerapi-na.amazon.com/orders/v0

  • 我试图使用gitlab ci将我的图像推送到docker repositoy存储库,但收到错误: 拒绝:请求的资源访问被拒绝错误:作业失败:退出代码1 我的gitlab ci。yml 他建立了正确的形象,但当去推动 我将$repository的存储库名称更改为“仅在此处粘贴”。 我已经给了正确的权限上hub.docker.com为用户已经使docker登录,有一个colborator上的存储库。