Yaml 从多个SNS主题向单个Amazon SQS发送消息
新的地球形态 我正在尝试从两个SNS主题Yaml 从多个SNS主题向单个Amazon SQS发送消息,yaml,terraform,amazon-sqs,amazon-sns,terragrunt,Yaml,Terraform,Amazon Sqs,Amazon Sns,Terragrunt,新的地球形态 我正在尝试从两个SNS主题SNSA和SNSB向亚马逊SQS发送消息 当我在本地执行plz计划时,一切都很好,“然后”我尝试通过JENKINS进行部署,这给了我一个错误提示: Error: error creating SNS topic subscription: AuthorizationError: User: arn:aws:sts::325400131687:assumed-role/JENKINSDEPLOY/ is not authorized to perform:
SNSA
和SNSB
向亚马逊SQS
发送消息
当我在本地执行plz计划时,一切都很好,“然后”我尝试通过JENKINS进行部署,这给了我一个错误提示:
Error: error creating SNS topic subscription: AuthorizationError: User: arn:aws:sts::325400131687:assumed-role/JENKINSDEPLOY/ is not authorized to perform:
SNS:Subscribe on resource: arn:aws:sns:us-east-1:453101592424:snsb
有趣的是SNSA没有这个问题
我得到一个输出,上面写着aws\u sns\u topic\u subscription.snsa:1s后创建完成
我给了两个SNS相同的权限,我的两分钱在角色/Perms
上,我想我搞砸了!!
因为当我尝试在我的MsgPerm.yml
中重新排序SNS主题时(先放置SNSB,然后是SNSA),这一次SNSB被创建,并且得到了与SNSA相同的错误
如有任何与此问题相关的建议或意见,将不胜感激,谢谢
我的角色和权限设置如下:
MsgPerm.yml
---
statements:
-
effect: "Allow"
actions:
- "sqs:AddPermission"
- "sqs:CreateQueue"
- "sqs:DeleteQueue"
- "sqs:Get*"
- "sqs:List*"
- "sqs:PurgeQueue"
- "sqs:RemovePermission"
- "sqs:SetQueueAttributes"
- "sqs:TagQueue"
- "sqs:UnTagQueue"
resources:
- !Sub "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:myproject*"
-
effect: "Allow"
actions:
- "sqs:SendMessage"
- "sqs:SendMessageBatch"
- "sqs:ReceiveMessage"
- "sqs:DeleteMessage"
- "sqs:DeleteMessageBatch"
- "sqs:DeleteQueue"
- "sqs:CreateQueue"
- "sqs:AddPermission"
- "sqs:PurgeQueue"
- "sqs:RemovePermission"
- "sqs:TagQueue"
- "sqs:UntagQueue"
- "sqs:Set*"
- "sqs:Get*"
- "sqs:List*"
resources:
- !Sub "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:myproject*"
- "arn:aws:sns:us-east-1:453101592424:snsa"
- "arn:aws:sns:us-east-1:453101592424:snsb"
-
effect: "Allow"
actions:
- "sns:CreateTopic"
- "sns:DeleteTopic"
- "sns:Subscribe"
- "sns:Unsubscribe"
- "sns:AddPermission"
- "sns:RemovePermission"
- "sns:Receive"
- "sns:Publish"
- "sns:TagResource"
- "sns:UntagResource"
- "sns:Set*"
- "sns:Get*"
- "sns:List*"
resources:
- !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:PREFIX*"
- "arn:aws:sns:us-east-1:453101592424:snsa"
- "arn:aws:sns:us-east-1:453101592424:snsb"
---
managedPolicyArns:
-
name: Enterprise/GoldenVPCRequirements
cignamanaged: true
-
name: AmazonAPIGatewayAdministrator
awsmanaged: true
-
name: MsgPerm
awsmanaged: false
-
name: SecurityPerm
awsmanaged: false
federated: true
JENKINSDEPLOY.yml
---
statements:
-
effect: "Allow"
actions:
- "sqs:AddPermission"
- "sqs:CreateQueue"
- "sqs:DeleteQueue"
- "sqs:Get*"
- "sqs:List*"
- "sqs:PurgeQueue"
- "sqs:RemovePermission"
- "sqs:SetQueueAttributes"
- "sqs:TagQueue"
- "sqs:UnTagQueue"
resources:
- !Sub "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:myproject*"
-
effect: "Allow"
actions:
- "sqs:SendMessage"
- "sqs:SendMessageBatch"
- "sqs:ReceiveMessage"
- "sqs:DeleteMessage"
- "sqs:DeleteMessageBatch"
- "sqs:DeleteQueue"
- "sqs:CreateQueue"
- "sqs:AddPermission"
- "sqs:PurgeQueue"
- "sqs:RemovePermission"
- "sqs:TagQueue"
- "sqs:UntagQueue"
- "sqs:Set*"
- "sqs:Get*"
- "sqs:List*"
resources:
- !Sub "arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:myproject*"
- "arn:aws:sns:us-east-1:453101592424:snsa"
- "arn:aws:sns:us-east-1:453101592424:snsb"
-
effect: "Allow"
actions:
- "sns:CreateTopic"
- "sns:DeleteTopic"
- "sns:Subscribe"
- "sns:Unsubscribe"
- "sns:AddPermission"
- "sns:RemovePermission"
- "sns:Receive"
- "sns:Publish"
- "sns:TagResource"
- "sns:UntagResource"
- "sns:Set*"
- "sns:Get*"
- "sns:List*"
resources:
- !Sub "arn:aws:sns:${AWS::Region}:${AWS::AccountId}:PREFIX*"
- "arn:aws:sns:us-east-1:453101592424:snsa"
- "arn:aws:sns:us-east-1:453101592424:snsb"
---
managedPolicyArns:
-
name: Enterprise/GoldenVPCRequirements
cignamanaged: true
-
name: AmazonAPIGatewayAdministrator
awsmanaged: true
-
name: MsgPerm
awsmanaged: false
-
name: SecurityPerm
awsmanaged: false
federated: true
最后是我的sns.tf
文件
resource "aws_sns_topic_subscription" "snsa" {
topic_arn = "arn:aws:sns:${var.datastore_account_region}:${var.datastore_account_id}:${var.sns_topic_snsa}"
protocol = "sqs"
endpoint = aws_sqs_queue.incoming.arn
depends_on = [
aws_sqs_queue.incoming
]
}
resource "aws_sns_topic_subscription" "snsb" {
topic_arn = "arn:aws:sns:${var.datastore_account_region}:${var.datastore_account_id}:${var.sns_topic_snsb}"
protocol = "sqs"
endpoint = aws_sqs_queue.incoming.arn
depends_on = [
aws_sqs_queue.incoming
]
}
您的错误消息写入:
arn:aws:sns:us-east-1:453101592424:SNSB
但是您的策略使用(不同的情况下snsb
):
主题名称区分大小写是的,我知道,snsa和snsb-这些都是虚构的名称,在我的问题中有输入错误,我现在已经更新了,谢谢