尝试将消息发布到SQS时访问拒绝错误 [英] Access Denied Error when trying to post messages to SQS

问题描述

我正在尝试创建一个在SQS队列中记录JSON请求正文的API.

I am trying to create an API that logs JSON request bodies in an SQS queue.

我已经在FIFO和非FIFO布局中的SQS中设置了基本队列.我每次都有同样的问题.我对SQS队列的政策如下:

I have set up a basic queue in SQS in both the FIFO and non-FIFO layouts. I have the same problem each time. My policy for the SQS queue is as follows:

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:2222222222222:API-toSQS.fifo/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "Sid22222222222",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:2222222222222:API-toSQS.fifo"
    }
  ]
}

我创建了一个策略，该策略赋予我所有对SQS进行写作的权限.我为API网关创建了一个角色，在其中分配了上述策略.这是我分配给该角色的政策:

I have created a policy which i give all access to SQS for writing abilities. And I have created a role for API Gateway in which i assign the aforementioned policy to. Here is the policy i have assigned to this role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:ChangeMessageVisibility",
                "sqs:DeleteMessageBatch",
                "sqs:SendMessageBatch",
                "sqs:PurgeQueue",
                "sqs:DeleteQueue",
                "sqs:SendMessage",
                "sqs:CreateQueue",
                "sqs:ChangeMessageVisibilityBatch",
                "sqs:SetQueueAttributes"
            ],
            "Resource": "*"
        }
    ]
}

我已经建立了一个API网关.我已经创建了一个POST方法.我尝试启用CORS选项(创建OPTIONS方法)，并且在未启用CORS的情况下完成了此操作.我针对我的安全策略使用的ARN是正确的，我已经对其进行了三重检查.并且我选择了替代路径，并在那里有我的SQS队列的完整https URL，我也对此进行了三重检查.我的终点当然是SQS.

I have set up an API gateway. I have created a POST method. I've tried enabling the CORS option (which create an OPTIONS method) and i've done it without CORS enabled. My ARN for my security policy is correct, i have triple checked it. and i opt for the override path and have the full https URL of my SQS queue there, i have triple checked this as well. My endpoint is SQS of course.

对于集成请求，我有一个Content-Type的HTTP标头，然后有一个'application/x-www-form-urlencoded'

For integration request i have a HTTP header for Content-Type and then a Mapped From as 'application/x-www-form-urlencoded'

在映射模板中，我已将passthrough设置为never，并将Content-Type设置为application/json，并且还包含了模板Action=SendMessage&MessageBody=$input.body，可根据我发现的演练将其从正文转换为url.

in mapping templates i have passthrough set as never and have a Content-Type set to application/json is also have included the template Action=SendMessage&MessageBody=$input.body to translate from body to url as per a walkthrough i found.

我在API网关测试区域遇到以下错误

i am getting the following error in the API Gateway test area

<AccessDeniedException> <Message>Unable to determine service/operation name to be authorized</Message> </AccessDeniedException>

<AccessDeniedException> <Message>Unable to determine service/operation name to be authorized</Message> </AccessDeniedException>

那里有一个AWS专家可以指导我正确的方向吗?

Is there a AWS guru out there who can steer me in the right direction?

要澄清我的问题是它应该添加我的测试正文

to clarify my issue is that it should be adding my test body

{"peanutbutter":"jelly"}

进入SQS队列，但没有运气.

to the SQS queue, but no luck.

我可以整天从邮递员向SQS发送url编码的消息，但是我希望我的业务合作伙伴能够通过http(邮递员，节点等)发送干净的JSON对象.

I can send url encoded messages to SQS all day from postman, but i want my business partners to be able to send a clean JSON object via http (postman, node, etc, whatever..)

谢谢！

推荐答案

对于具有相同问题的任何人，从API Gateway中的集成请求中删除所有设置，并使用Lambda作为中间人"即可.对于几乎所有的AWS服务，Lambda都是一个很好的选择.我希望有一个API网关-> SQS堆栈，而不是使用API​​网关-> Lambda-> SQS，但是无论出于何种原因，lambda处理HTTP请求的方式都与尝试将API Gateway配置为执行相同操作相反没有问题.

For anyone having this same issue, removing all of the settings from the integration request in API Gateway and using Lambda as a "middleman" worked. Lambda is a great go-between for almost all of the AWS services. I would prefer to have a API Gateway -> SQS stack instead of using API Gateway -> Lambda -> SQS, but for whatever reason the way the lambda handles the HTTP request as opposed to trying to configure API Gateway to do the same, works without issue.

您无需在Lambda中使用任何外部资源，因此无需导入Zip文件.只需导入AWS和SQS.使用基本结构接受事件，然后将正文(在我的情况下为JSON)和sqs.sendMessage放入队列.

you will not need any external resources in Lambda, so no importing Zip files. Just import AWS and SQS. use the basic structure to accept the event, then take the body (as JSON in my case) and sqs.sendMessage to your queue.

希望这可以帮助遇到相同问题的任何人.

hope this helps anyone with the same issue.

这篇关于尝试将消息发布到SQS时访问拒绝错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！