从外部帐户使用SNS调用Lambda [英] Invoke Lambda using SNS from Outside Account
问题描述
我一直在关注以下来自Amazon的博客文章(场景3:从另一个帐户的Amazon S3存储桶通知中触发Lambda函数),有关如何授权Lambda函数用于各种用途.我想设置一个Lambda函数以接受来自外部帐户(具有lambda函数的acct外部)的SNS消息.
I've been following the following blog post from Amazon (Scenario 3: Triggering a Lambda function from an Amazon S3 bucket notification in another account) about authorizing Lambda functions for various uses. I would like to setup a Lambda function to accept SNS messages from external accounts (external to the acct with the lambda function).
https://aws.amazon.com/blogs/compute/easy-authors-aws-lambda-functions/
我希望添加如下权限以远程调用该函数:
I was expecting to add the permission to invoke the function remotely as follows:
$ aws lambda add-permission \
--function-name MyFunction \
--region us-west-2 \
--statement-id Id-123 \
--action "lambda:InvokeFunction" \
--principal sns.amazonaws.com \
--source-arn arn:aws:sns:::<topic name> \
--source-account <account number> \
--profile adminuser
然后,我尝试进入我的SNS主题并将Lambda设置为端点,并在第一个帐户中输入lambda函数的远程ARN.效果不太好,因为端点希望帐户中的某个功能能获得回报...
I then attempted to go to my SNS topic and set Lambda as the endpoint, and type in the remote ARN for the lambda function in the first account. This doesn't work so well, as the endpoint expects an arn for a function in the account...
计划B: 尝试通过CLI创建订阅,以规避控制台中的限制...
Plan B: Try creating the subscription via the CLI to circumvent the limitation in the console...
aws sns --profile adminuser \
--region us-west-2 subscribe
--topic-arn arn:aws:sns:us-west-2:<account #>:<topic name>
--protocol lambda
--notification-endpoint arn:aws:lambda:us-west-2:<account id>:function:<lambda function name>
响应:
A client error (AuthorizationError) occurred when calling the Subscribe operation: The account <account id> is not the owner of the lambda function arn:aws:lambda:us-west-2:<account id>:function:<function name>
有人能从另一个帐户中的远程" SNS调用Lambda函数吗?我对可能出了什么问题感到有些困惑...根据博客文章中的注释,我完全希望远程SNS能够正常工作:
Note: Amazon SNS (Simple Notification Service) events sent to Lambda works the same way, with sns.amazonaws.com replacing s3.amazonaws.com as the principal.
Has anyone been able to invoke a Lambda Function from a "remote" SNS in another account? I'm a little stumped as to where I may have gone wrong... Based on the note in the blog post, I fully expected a remote SNS to work:
Note: Amazon SNS (Simple Notification Service) events sent to Lambda works the same way, with "sns.amazonaws.com" replacing "s3.amazonaws.com" as the principal.
推荐答案
如果提供者帐户授权拥有lambda的消费者帐户授权SNS主题,则可以.可以在主题页面.
You can if the provider account authorizes the consumer account that owns the lambda to subscribe to the SNS topic. This is can be done in the "Edit topic policy" under the topics page.
以下是允许lambda从外部帐户收听SNS主题的步骤的摘要:
Here's a summary of the steps to allow a lambda to listen to an SNS topic from an external account:
- 消费者帐户创建lambda,
- 通过指定提供商的SNS主题ARN(无需担心错误消息),消费者帐户将事件源添加到AWS控制台中的lambda,
- 提供商帐户将SNS订阅权限添加到在第三方AWS帐户(通过上述编辑主题策略"完成)中创建的消费者IAM帐户中,
- 消费者使用第2步中的IAM帐户通过AWS CLI向订阅者帐户添加订阅.
以前在步骤4中对我有用的示例命令:
Example command that worked for me previously for step 4:
aws sns subscribe --topic-arn <provider_sns_arn> --protocol lambda --notification-endpoint <consumer_lambda_arn> --profile consumer-IAM-account
这篇关于从外部帐户使用SNS调用Lambda的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
