问题描述
我有一个事件总线,并创建了一个事件规则,该规则将事件转发到SQS队列。现在,我使用默认的亚马逊托管密钥(别名/ aws / sqs)为队列启用了加密。
启用加密后,事件不再转发。研究AWS文档时,我只能找到有关使用CMK进行加密的信息,而找不到有关亚马逊托管密钥的信息。
我想这是一个权限问题,但不确定。这是我的活动规则和访问政策
queueCreateInvoiceEvent:
Type: AWS::Events::Rule
DependsOn: [myQueue]
Properties:
Description: Forward INVOICE_CREATED event to SQS queue
EventBusName: ${self:custom.eventBus.name}
EventPattern: { "detail-type": ["INVOICE_CREATED"] }
Name: ${self:service.name}-${self:provider.stage}-buffer-invoice-created-event
State: ENABLED
Targets:
- Id: myQueue
Arn:
Fn::GetAtt: [myQueue,Arn]
createReceiptQueueAccessPolicy:
Type: AWS::SQS::QueuePolicy
DependsOn: [queueCreateInvoiceEvent,myQueue]
Properties:
Queues:
- { Ref: createReceiptQueue }
PolicyDocument:
Id: EventBridgeSqsAccessPolicy
Version: "2012-10-17"
Statement:
- Sid: Allow-User-SendMessage
Effect: Allow
Principal:
Service: "events.amazonaws.com"
Action:
- sqs:SendMessage
Resource:
- Fn::GetAtt: ["myQueue","Arn"]
Condition:
ArnEquals:
aws:SourceArn:
- Fn::GetAtt: ["queueCreateInvoiceEvent","Arn"]
解决方法
对于EventBridge troubleshooting page,您的KMS密钥策略需要允许EventBridge访问密钥:
{
"Sid": "Allow EventBridge to use the key","Effect": "Allow","Principal": {
"Service": "events.amazonaws.com"
},"Action": [
"kms:Decrypt","kms:GenerateDataKey"
],"Resource": "*"
}