【发布时间】:2019-09-02 11:16:42
【问题描述】:
帮助我的兄弟姐妹们!
我有一个推送一些 SNS 主题和订阅的 CF 堆栈。其中一些订阅调用 Lambda 函数。推送堆栈后,我将通过手动向其推送通知来测试调用 lambda 的 SNS 主题。 Lambda 从不开火。当我记录主题的交付状态时,我会得到如下信息:
{
"notification": {
"messageMD5Sum": "dfdd100c8699626047a347c435c981fa",
"messageId": "423e1faf-088a-55f8-b2dc-4a86703224c9",
"topicArn": "arn:aws:sns:us-east-2:643112374624:Foobar",
"timestamp": "2019-04-11 17:16:40.096"
},
"delivery": {
"deliveryId": "aae702b2-4787-5c7c-87e6-579b3f3f7f67",
"destination": "arn:aws:lambda:us-east-2:642113479024:function:SomeLambdaFunction",
"providerResponse": "{\"ErrorCode\":\"AccessDeniedException\",\"ErrorMessage\":\"User: sns.amazonaws.com is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-2:642113479024:function:SomeLambdaFunction\",\"lambdaRequestId\":\"Unrecoverable\"}",
"dwellTimeMs": 35,
"attempts": 1,
"statusCode": 403
},
"status": "FAILURE"
}
因此,我需要授予 SNS(或至少该 SNS 主题)权限以执行特定的 lambda 函数,这对我来说是完全有意义的。我如何承认这一点对我来说是个谜。有什么帮助吗?
当您通过 Web 控制台创建 Lambda 时,您会看到此选项。什么是 CF 等价物。
我尝试向我的 CloudFormation 堆栈模板添加权限:
PolicyName:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt { MyLambdaFunctionName, Arn }
Action: 'lambda:InvokeFunction'
Principal: sns.amazonaws.com
SourceArn: !GetAtt { MySNSTopicName, Arn }
当我尝试部署包含策略的堆栈模板时,它失败并出现错误:
Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Invalid template property or properties [PolicyName]
【问题讨论】:
标签: amazon-web-services amazon-sns