为什么此SQSQueuePolicy无法在AWS CloudFormation中创建?

编程问答 2022-10-31

问题描述

我创建了以下CloudFormation模板:

AWstemplateFormatVersion: 2010-09-09
Description: Creates all resources necessary to send SES emails & track bounces/complaints through AWS
Resources:
  IAMUser:
    Type: 'AWS::IAM::User'
    Properties:
      UserName: iam-ses-sqs
  SQSQueue:
    Type: 'AWS::SQS::Queue'
    Properties:
      QueueName: ses-queue
  SNSTopic:
    Type: 'AWS::SNS::Topic'
    Properties:
      TopicName: sns-notifications
  IAMUserPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: IAM_Send_SES_Email
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - 'SES:SendEmail'
              - 'SES:SendRawEmail'
            Resource: 'arn:aws:ses:*:*:identity/*'
      Users:
        - !Ref IAMUser
  SQSQueuePolicy:
    Type: 'AWS::SQS::QueuePolicy'
    Properties:
      Queues:
        - !Ref SQSQueue
      PolicyDocument:
        Statement:
          - Action:
              - 'SQS:ReceiveMessage'
              - 'SQS:DeleteMessage'
              - 'SQS:GetQueueAttributes'
            Effect: Allow
            Resource: !Ref SQSQueue
            Principal:
              AWS:
                - !Ref IAMUser
  SNSTopicSubscription:
    Type: 'AWS::SNS::Subscription'
    Properties:
      Protocol: SQS
      Endpoint: !GetAtt 
        - SQSQueue
        - Arn
      TopicArn: !Ref SNSTopic

我想允许IAMUser对SQSQueue资源执行SQS ReceiveMessage,DeleteMessage和GetQueueAttributes操作。 SQSQueue还应该订阅SNSTopic。

在CloudFormation中使用此模板创建堆栈时,SQSQueue,SNSTopic,SNSTopicSubscription,IAMUser和IAMUserPolicy都可以毫无问题地按该顺序创建。但是,SQSQueuePolicy无法创建并生成错误消息: Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue; Request ID: {request id})

为什么会失败,以及如何修改模板以确保成功创建所有资源及其关联的策略/预订?

解决方法

以下内容将返回队列URL ,而不是ARN:

Resource: !Ref SQSQueue

但是您需要在策略中使用队列ARN 

Resource: !GetAtt SQSQueue.Arn
,

我在您的CloudFormation模板中发现了两个问题。

第一个,如Marcin所说,资源引用必须是队列ARN,而不是队列URL。

Resource: !GetAtt SQSQueue.Arn

第二个是您的AWS参考与您的IAM用户一起使用,但必须是账户ID。

Principal:
  AWS:
    - !Ref 'AWS::AccountId'

也就是说,我能够使用此CloudFormation模板在帐户中成功创建CloudFormation堆栈:

AWSTemplateFormatVersion: 2010-09-09
Description: Creates all resources necessary to send SES emails & track bounces/complaints through AWS
Resources:
  IAMUser:
    Type: 'AWS::IAM::User'
    Properties:
      UserName: iam-ses-sqs
  SQSQueue:
    Type: 'AWS::SQS::Queue'
    Properties:
      QueueName: ses-queue
  SQSQueuePolicy:
    Type: 'AWS::SQS::QueuePolicy'
    Properties:
      Queues:
        - !Ref SQSQueue
      PolicyDocument:
        Statement:
          - Action:
              - 'SQS:ReceiveMessage'
              - 'SQS:DeleteMessage'
              - 'SQS:GetQueueAttributes'
            Effect: Allow
            Resource: !GetAtt SQSQueue.Arn
            Principal:
              AWS:
                - !Ref 'AWS::AccountId'
amazon-cloudformationamazon-sqs