使用另一个帐户 (us-east-1) 的密钥加密 sqs 队列 (us-east-2) 并使用 lambda 访问它 - 面临错误
考虑两个帐户帐户 A 和帐户 B。我们必须使用帐户 A 中的 KMS 密钥加密帐户 B 中的 SQS 队列,然后使用 lambda(位于帐户 A 中)向队列发送和接收消息。 SQS CFN 模板:
MyQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Ref QueueName
DelaySeconds: '0'
MaximumMessageSize: '262144'
MessageRetentionPeriod: '345600'
ReceiveMessageWaitTimeSeconds: '0'
VisibilityTimeout: '30'
KmsMasterKeyId: <Key_id of the custom CMK> (I have a doubt here also, should i input the key id or the alias of my key?)
关键策略:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_id>:root",
"arn:aws:iam::<Account_A_id>:root",
"arn:aws:iam::<Account_A_id>:role/lambda-execution-role"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account_A_id>:role/lambda-execution-role"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:ReplicateKey",
"kms:UpdatePrimaryRegion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_id>:root",
"arn:aws:iam::<Account_A_id>:role/lambda-execution-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_id>:root",
"arn:aws:iam::<Account_A_id>:role/lambda-execution-role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
SQS 队列策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account_A_id>:role/lambda-execution-role"
},
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-east-2:<Account_B_id>:queue"
}
]
}
Lambda 函数 - 用于向队列发送和接收消息的 Python 代码:
import json
import boto3
def lambda_handler(event, context):
sqs = boto3.client('sqs', region_name='us-east-2')
queue_url = 'https://sqs.us-east-2.amazonaws.com/<Account_B_id>/queue'
response = sqs.send_message(QueueUrl=queue_url,DelaySeconds=0,MessageBody=('hey there 123 !'))
response1 = sqs.send_message(QueueUrl=queue_url,DelaySeconds=0,MessageBody=('hey there 1234 !'))
response2 = sqs.send_message(QueueUrl=queue_url,DelaySeconds=0,MessageBody=('hey there 123345 !'))
print('message sent')
response5 = sqs.receive_message(
QueueUrl=queue_url,
AttributeNames=['All'],
MaxNumberOfMessages=10,
WaitTimeSeconds=7)
message = response5['Messages'][0]['Body']
print(message)
完成所有这些操作后,我在 lambda 中创建了一个测试事件并对其进行了测试。出现以下错误:
[ERROR] ClientError: An error occurred (KMS.AccessDeniedException) when calling the SendMessage operation: null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: d6913dbc-e22f-4ccf-ba5a-9844ab1156e0; Proxy: null)
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 6, in lambda_handler
response = sqs.send_message(QueueUrl=queue_url,DelaySeconds=0,MessageBody=('hey there 123 !'))
File "/var/runtime/botocore/client.py", line 386, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 705, in _make_api_call
raise error_class(parsed_response, operation_name)
没有 KMS,此设置可以正常工作。有人可以帮我将 KMS 集成到此中吗?
Consider two accounts Account A and Account B. We have to Encrypt an SQS queue in account B using a KMS key from account A and then, send and receive message to the queue using a lambda(which is in account A).
SQS CFN TEMPLATE:
MyQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Ref QueueName
DelaySeconds: '0'
MaximumMessageSize: '262144'
MessageRetentionPeriod: '345600'
ReceiveMessageWaitTimeSeconds: '0'
VisibilityTimeout: '30'
KmsMasterKeyId: <Key_id of the custom CMK> (I have a doubt here also, should i input the key id or the alias of my key?)
KEY POLICY:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_id>:root",
"arn:aws:iam::<Account_A_id>:root",
"arn:aws:iam::<Account_A_id>:role/lambda-execution-role"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account_A_id>:role/lambda-execution-role"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:ReplicateKey",
"kms:UpdatePrimaryRegion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_id>:root",
"arn:aws:iam::<Account_A_id>:role/lambda-execution-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account_B_id>:root",
"arn:aws:iam::<Account_A_id>:role/lambda-execution-role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
SQS Queue policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account_A_id>:role/lambda-execution-role"
},
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-east-2:<Account_B_id>:queue"
}
]
}
Lambda function - Python code for send and receive message to the queue:
import json
import boto3
def lambda_handler(event, context):
sqs = boto3.client('sqs', region_name='us-east-2')
queue_url = 'https://sqs.us-east-2.amazonaws.com/<Account_B_id>/queue'
response = sqs.send_message(QueueUrl=queue_url,DelaySeconds=0,MessageBody=('hey there 123 !'))
response1 = sqs.send_message(QueueUrl=queue_url,DelaySeconds=0,MessageBody=('hey there 1234 !'))
response2 = sqs.send_message(QueueUrl=queue_url,DelaySeconds=0,MessageBody=('hey there 123345 !'))
print('message sent')
response5 = sqs.receive_message(
QueueUrl=queue_url,
AttributeNames=['All'],
MaxNumberOfMessages=10,
WaitTimeSeconds=7)
message = response5['Messages'][0]['Body']
print(message)
After doing all these things, I have created a test event in lambda and tested it. Getting the below error:
[ERROR] ClientError: An error occurred (KMS.AccessDeniedException) when calling the SendMessage operation: null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: d6913dbc-e22f-4ccf-ba5a-9844ab1156e0; Proxy: null)
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 6, in lambda_handler
response = sqs.send_message(QueueUrl=queue_url,DelaySeconds=0,MessageBody=('hey there 123 !'))
File "/var/runtime/botocore/client.py", line 386, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 705, in _make_api_call
raise error_class(parsed_response, operation_name)
Without KMS this set up is working. Can someone help me out for integrating the KMS in this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为了解决这个问题,我联系了 AWS Support 并获得了解决方案。最初我的钥匙位于 us-east-1 并尝试使用它。为了访问 us-east-2 中的 SQS,密钥也必须位于 us-east-2 中。所以向我建议的解决方案是,在 us-east-2 中创建密钥的副本并输入副本密钥的 arn (我在这里也犯了一个错误,我在 cfn 模板中给出了密钥 id)< /em> 在 cloudformation 模板中(因为我使用的是多区域密钥)。如果它不是多区域密钥,我们必须在 SQS 队列的同一区域中创建一个新密钥。
For resolving this, i reached out to AWS Support and got the solution. Initially i had my key in us-east-1 and trying to use it. In order to access an SQS in us-east-2, the key must also be in us-east-2. So the solution suggested to me was, Create a replica of the key in us-east-2 and input the arn of the replica key (I did a mistake here too, i gave the key id in the cfn template) in the cloudformation template (Since i was using a multi-region key). If it isn't a multi-region key, we must create a new key in the same region of the SQS queue.