【以下的问题经过翻译处理】 我正在尝试设置从SQS队列到Lambda函数的跨账户通信。这两个资源都位于“eu-central-1”区域,但在两个不同的AWS帐户中。我的设置如下:ACCOUNT_A
拥有Lambda函数ACCOUNT_B
拥有SQS队列。我已经在Account A中创建了IAM角色,并将其附加到Lambda函数(ACCOUNT_A_LAMBDA_EXECUTION_ROLE)。IAM角色已经被附加AWSLambdaSQSQueueExecutionRole
的管理权限。ACCOUNT_B上的SQS队列具有以下访问策略{ "Version": "2008-10-17", "Id": "__default_policy_ID", "Statement": [ { "Sid": "__owner_statement", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_B:root" }, "Action": "SQS:*", "Resource": "arn:aws:sqs:eu-central-1:ACCOUNT_B:" }, { "Sid": "__receiver_statement", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_A:role/LAMBDA_EXECUTION_ROLE" }, "Action": [ "SQS:ChangeMessageVisibility", "SQS:DeleteMessage", "SQS:ReceiveMessage", "SQS:GetQueueAttributes" ], "Resource": "arn:aws:sqs:eu-central-1:ACCOUNT_B:" } ]}
我使用AWS CLI添加Lambda触发器,以便ACCOUNT_B_SQS_QUEUE可以添加为ACCOUNT_A_LAMBDA_FUNCTION的触发器。以下是AWS CLI命令aws lambda create-event-source-mapping --function-name ACCOUNT_A_LAMBDA_FUNCTION --event-source-arn ACCOUNT_B_SQS_QUEUE-arn --profile ACCOUNT_A-aws-profile --region eu-central-1
但是此命令失败并显示以下错误:An error occurred (InvalidParameterValueException) when calling the CreateEventSourceMapping operation: The provided execution role does not have permissions to call ReceiveMessage on SQS
我也尝试手动添加Lambda触发器,但是也失败了。