跨账户 SNS 在第二个账户订阅 Lambda

Question

我已使用以下 SNS 主题策略在 Lambda 中订阅此 SNS，帐号为 222222222222。我还通过类似策略授予对我的 lambda 的访问权限，并将其添加到 Lambda 的执行角色中。

得到以下错误：

创建触发器时出错：用户： arn:aws:sts::222222222222:假定角色/TSI_Base_FullAccess/AXXXXXXX 无权执行：SNS：订阅资源： arn:aws:sns:eu-west-1:111111111111:Story-5555（服务：AmazonSNS； 状态码：403；错误代码：授权错误；请求编号： 1321942c-25c4-52a1-bacb-c2e9bd641067)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1582008007178",
      "Action": [
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sns:Publish",
        "sns:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS"
        }
      }
    }
  ]
}

Answer 1

根据AWS Documentation，您应该在条件之外指定原则。

所以你的政策应该类似于

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1582008007178",
      "Action": [
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sns:Publish",
        "sns:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
      "Principal": {
        "AWS": ["222222222222"]
      },
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": [
               "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS",
               "arn:aws:sts::222222222222:assumed-role:TSI_Base_FullAccess:AXXXXXXXX"
          ]
        }
      }
    }
  ]
}

确定在策略的条件部分指定哪个 ARN 的方法是从您的函数调用（并打印）get-caller-identity API。