使用AmazonSNSClient发送文本消息时的授权 [英] Authorization when sending a text message using AmazonSNSClient
问题描述
有关如何发送文本消息的AWS官方文档与Java中的aws SDK相当简单.
但是,当发送如底部示例中所示的消息时,出现错误User: arn:aws:iam::xxx:user/sms-testing is not authorized to perform: SNS:Publish on resource: +999999999
请注意,+999999999
是传递给.withPhoneNumber()
呼叫的电话号码,因此aws api抱怨我的IAM用户没有必要的权限将SNS:Publish
带有该电话号码的消息发送到资源.>
我的问题:如何创建一个能够通过Java SDK发送SMS通知的IAM用户?目前,看来我必须为要向其发送消息的每个号码创建权限,这看起来很奇怪而且很难维护.
错误告诉您,您的IAM用户"sms-testing"无权发布到该资源的SNS(SNS:Publish).您的IAM用户可能根本没有SNS:Publish权限,这意味着您无法发布任何内容.在这种情况下,您只需要向用户添加以下IAM策略,或者将该策略添加到您的IAM用户所属的IAM组.
下面的链接应带您转到IAM控制台,以编辑"sms-testing"用户的权限.以下也是一个示例策略,允许IAM用户将任何内容发布到SNS(SMS,主题,端点等).
如果您想稍微降低权限,则可以修改资源"并指定特定的SNS资源,例如Topic或application arn.如果您无法编辑IAM用户策略,则需要让管理员为您添加此策略.
修改您的IAM用户: https://console.aws.amazon .com/iam/home?region = us-east-1#users/sms-testing
允许SNS发布到所有资源的示例策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": "*"
}
]
}
由于SNS没有SMS资源,因此您可以做一点破解,然后将所有SNS都拒绝"发布到主题和平台应用程序",然后再允许发布到仅剩下SMS的其余部分.
这是一个示例策略,仅允许发布到SMS并拒绝发布到主题和应用程序(推送通知):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": "*"
}
]
}
希望有帮助.
-丹尼斯
The official aws documentation on how to send a Textmessage with the aws SDK in java is pretty straightforward.
However, when sending a message like shown in the example at the bottom, I'm getting the error User: arn:aws:iam::xxx:user/sms-testing is not authorized to perform: SNS:Publish on resource: +999999999
Note that +999999999
is the phone number passed to the .withPhoneNumber()
call, so the aws api complains about my IAM user not having the necessary permission to SNS:Publish
a message to the resource with that phone number.
My question: How do I create an IAM user which is able to send SMS notifications through the java SDK? Currently, it looks like I would have to create a permission for each number I'm sending messages to, which seems weird and hard to maintain.
The error is telling you that your IAM user "sms-testing" does not have permission to publish to SNS (SNS:Publish) to that resource. Your IAM user probably does not have the SNS:Publish permission at all, which means you can't publish anything. If that is the case, you just need to add the following IAM policy to your user OR add the policy to the IAM Group from which your IAM user belongs.
The link below should take you right to the IAM console to edit permissions for the "sms-testing" user. Also below is a sample policy allowing the IAM user to publish anything to SNS (SMS, Topics, Endpoints, etc..).
If you want to lock down permissions a bit, you would modify the "Resource" and specify a specific SNS resource like Topic or application arn. If you are unable to edit the IAM user policy, you'll need to get your administrator to add this policy for you.
Modify your IAM user: https://console.aws.amazon.com/iam/home?region=us-east-1#users/sms-testing
Sample policy for allowing SNS Publish to ALL resources:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": "*"
}
]
}
Since SNS does not have an SMS resource, you can do a bit of a hack and "Deny" all SNS publishing to Topics and Platform Applications and then allow publish to the rest which leaves only SMS (for now).
Here's a sample policy allowing only publish to SMS and denying publishing to topics and applications (push notifications):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": "*"
}
]
}
Hope that helps.
-Dennis
这篇关于使用AmazonSNSClient发送文本消息时的授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!