bash AWS SQS 未收到 SNS 消息
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/38754931/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
AWS SQS not receiving SNS messages
提问by asdf
I created a SNS topic that publishes all the information coming out of Cloudformation via the cli. However, when I check the queue, it is not receiving any of the SNS messages. I verified the SNS is working by subscribing my email to it, so the issue seems to be in the connection between the queue and the SNS. However, I cannot find any problems with my syntax. I, as far as I know, have followed amazon's documentation precisely.
我创建了一个 SNS 主题,该主题通过 cli 发布来自 Cloudformation 的所有信息。但是,当我检查队列时,它没有收到任何 SNS 消息。我通过订阅我的电子邮件来验证 SNS 是否正常工作,因此问题似乎出在队列和 SNS 之间的连接上。但是,我找不到我的语法有任何问题。据我所知,我完全遵循了亚马逊的文档。
Bash:
重击:
#SNS parameters
SNS_NAME="${NAME}_SNS"
SQS_NAME="${NAME}_SQS"
#Create SNS topic to send cloudformation notifications to
SNS_ARN=`aws sns create-topic --name ${SNS_NAME} | jq -r '.TopicArn'`
#Create SQS to send SNS to (holding SNS messages for lambda -^ up)
SQS_URL=`aws sqs create-queue --queue-name ${SQS_NAME} | jq -r '.QueueUrl'`
SQS_ARN=`aws sqs get-queue-attributes --queue-url ${SQS_URL} --attribute-names QueueArn | jq -r '.Attributes .QueueArn'`
#subscribe the queue to the notifications
aws sns subscribe --topic-arn ${SNS_ARN} --protocol sqs --notification-endpoint ${SQS_ARN}
aws sns subscribe --topic-arn ${SNS_ARN} --protocol email-json --notification-endpoint ${EMAIL}
#Create the stack which kicks everything else off-
aws cloudformation create-stack $REGIONTEXT $ITYPETEXT --capabilities CAPABILITY_IAM --template-url https://${BUCKETNAME}.s3.amazonaws.com/${TEMPLATE} --notification-arns ${SNS_ARN} --stack-name $NAME --parameters ParameterKey=SNSARN,ParameterValue=${SNS_ARN} ParameterKey=Bucket,ParameterValue=${BUCKETNAME} ${PARAMTEXT} ${EXTRAARGS}
采纳答案by asdf
Thank you to Mark B for his answer. It provided the start to getting this working. However, in order to make a policy document work via the CLI there are a few quirks that aren't covered in the docs.
感谢 Mark B 的回答。它为这项工作提供了开始。但是,为了通过 CLI 使策略文档工作,文档中没有涵盖一些怪癖。
- There are all sorts of errors trying to pass json directly to the
--attributesflag inaws sqs set-queue-attributescommand. For some reason it requires the modifying json to be in a.jsondocument referenced by the cli. - In the
.jsonfile provided to the cli, all of the double quotes inside the"Policy"value (nested json) must be escaped (i.e.{ \"Statement\": \"HelloWorld\" }). If this is not followed, it will validation errors. I ended up needing to use the ascii escape characters in order properly format the output (\x5C). - The json file must be referenced by using
file://local-locationin the--attributesflag. It throws errors if this is not followed.
- 有各种各样的错误试图将 json 直接传递给命令中的
--attributes标志aws sqs set-queue-attributes。出于某种原因,它要求修改 json.json位于 cli 引用的文档中。 - 在
.json提供给 cli的文件中,"Policy"值(嵌套的 json)中的所有双引号都必须转义(即{ \"Statement\": \"HelloWorld\" })。如果不遵循这一点,则会出现验证错误。我最终需要使用 ascii 转义字符才能正确格式化输出 (\x5C)。 - 必须通过
file://local-location在--attributes标志中使用来引用 json 文件。如果不遵循,则会引发错误。
See the following elements I used for reference:
请参阅我用作参考的以下元素:
load_sqs.sh:
load_sqs.sh:
SQS_POLICY=
sqs-policy()
{
#First param is the queue arn, second param is the topic arn
SQS_POLICY=`printf '{ "Policy": "{\x5C\"Version\x5C\":\x5C\"2012-10-17\x5C\",\x5C\"Statement\x5C\":[{\x5C\"Sid\x5C\":\x5C\"CloudformationLambdaSQSPolicy\x5C\",\x5C\"Effect\x5C\":\x5C\"Allow\x5C\",\x5C\"Principal\x5C\":\x5C\"*\x5C\",\x5C\"Action\x5C\":\x5C\"sqs:SendMessage\x5C\",\x5C\"Resource\x5C\":\x5C\"%s\x5C\",\x5C\"Condition\x5C\":{\x5C\"ArnEquals\x5C\":{\x5C\"aws:SourceArn\x5C\":\x5C\"%s\x5C\"}}}]}" }' "" ""`
`echo $SQS_POLICY > $PWD/sqs-policy.json`
}
#SNS parameters
SNS_NAME="${NAME}_SNS"
SQS_NAME="${NAME}_SQS"
#Create SNS topic to send cloudformation notifications to
SNS_ARN=`aws sns create-topic --name ${SNS_NAME} | jq -r '.TopicArn'`
#Create SQS to send SNS to (holding SNS messages for lambda -^ up)
SQS_URL=`aws sqs create-queue --queue-name ${SQS_NAME} | jq -r '.QueueUrl'`
SQS_ARN=`aws sqs get-queue-attributes --queue-url ${SQS_URL} --attribute-names QueueArn | jq -r '.Attributes .QueueArn'`
#Add necessary SQS <--> SNS permissions
sqs-policy ${SQS_ARN} ${SNS_ARN}
`aws sqs set-queue-attributes --queue-url ${SQS_URL} --attributes file://sqs-policy.json`
#subscribe the queue to the notifications
aws sns subscribe --topic-arn ${SNS_ARN} --protocol sqs --notification-endpoint ${SQS_ARN}
sqs-policy.json:
sqs-policy.json:
{ "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"CloudformationLambdaSQSPolicy\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:SendMessage\",\"Resource\":\"ResourceARN\",\"Condition\":{\"ArnEquals\":{\"aws:SourceArn\":\"SourceARN\"}}}]}" }
回答by Mark B
It doesn't look like you have given the SNS topic permission to publish to the SQS queue. Look at step 2 in this walkthrough. You'll need to add a policy like this to the SQS queue:
您似乎没有授予 SNS 主题发布到 SQS 队列的权限。查看本演练中的第 2 步。您需要将这样的策略添加到 SQS 队列:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"MySQSPolicy001",
"Effect":"Allow",
"Principal":"*",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sqs:us-east-1:123456789012:MyQueue",
"Condition":{
"ArnEquals":{
"aws:SourceArn":"arn:aws:sns:us-east-1:123456789012:MyTopic"
}
}
}
]
}
Replacing the ARNs with the ones for your topic and queue.
将 ARN 替换为您的主题和队列的 ARN。
回答by Krisso
In my case SQS wan't receiving messages from SNS because SQS had encryption turned ON. When I turned OFF encryption on SQS it started working!
就我而言,SQS 无法从 SNS 接收消息,因为 SQS 已开启加密。当我在 SQS 上关闭加密时,它开始工作了!
This AWS documentation explains how to enable SNS compatibility with encrypted SQS queues:
此 AWS 文档解释了如何启用与加密 SQS 队列的 SNS 兼容性:
SNS requires extra permissions to be able to use the KMS key to encrypt messages for the queue.
SNS 需要额外的权限才能使用 KMS 密钥为队列加密消息。
回答by kartick shaw
If the SQS is encryted then the event pushing messages to queue must follow below steps
如果 SQS 已加密,则将消息推送到队列的事件必须遵循以下步骤
Several AWS services send events to Amazon SQS queues. To allow these event sources to work with encrypted queues, you must perform the following steps.
多个 AWS 服务将事件发送到 Amazon SQS 队列。要允许这些事件源使用加密队列,您必须执行以下步骤。
Use a customer managed CMK.
To allow the AWS service to have the kms:GenerateDataKey* and kms:Decrypt permissions, add the following statement to the CMK policy.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "service.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "*" }] }Create a new SSE queue or configure an existing SSE queue using the ARN of your CMK.
Provide the ARN of the encrypted queue to the event source.
使用客户托管的 CMK。
要允许 AWS 服务拥有 kms:GenerateDataKey* 和 kms:Decrypt 权限,请将以下语句添加到 CMK 策略。
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "service.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "*" }] }使用 CMK 的 ARN 创建新的 SSE 队列或配置现有的 SSE 队列。
向事件源提供加密队列的 ARN。
For sns replace service section with sns.amazonaws.com
对于 sns 用 sns.amazonaws.com 替换服务部分
"Principal": {
"Service": "sns.amazonaws.com"
}
"Principal": {
"Service": "sns.amazonaws.com"
}
回答by Tiago ávila
I had this problem, what I did was to change the permissions in my SQS Queue.
我遇到了这个问题,我所做的是更改 SQS 队列中的权限。
So here is the steps:
所以这里是步骤:
- Open SQS Management Console
- Select your SQS Queue
- Go to the Permissions Tab
- Click in the button Add a permission
- Set like the image below
- 打开 SQS 管理控制台
- 选择您的 SQS 队列
- 转到权限选项卡
- 单击按钮添加权限
- 如下图设置
- Click Add Permission
- 点击添加权限
I hope this can help anybody.
我希望这可以帮助任何人。
