SQS Lambda触发器传输中的消息

Question

我有触发lambda的SQS。

当我将消息放入SQS队列时，它显示消息正在传输中，而我的lambda不能处理消息。

我的Lambda具有以下权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:GetQueueUrl",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:DeleteMessageBatch",
                "sqs:ReceiveMessage",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags"
            ],
            "Resource": "*"
        }
    ]
}

ALso它具有以下权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:us-east-1:5722*****:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:5722****:log-group:/aws/lambda/815223_Test:*"
            ]
        }
    ]
}

当我附加“管理员访问”权限权限时，它会起作用，并触发lambda。我不确定我错过了哪个权限here.My队列是未加密的。

Answer 1

查看CloudTrail以确定导致API失败的根本原因。还要检查用于您的SQS的队列策略。

对于默认的SQS和Lambda组合，您只需要以下权限。

- "SQS:SendMessage"
- "SQS:ReceiveMessage"
- "SQS:DeleteMessage"
- "SQS:GetQueueAttributes"

下面是一个示例CloudFormation模板，供您参考。

AWSTemplateFormatVersion: "2010-09-09"
Description: >
  Creates the SQS and Lambda pattern
Resources:
  # SQS queue and queue policy
  FileProcessingEventsQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "FileProcessingEventsQueue"
      VisibilityTimeout: 60
  FileProcessingEventsQueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref FileProcessingEventsQueue
      PolicyDocument:
        Statement:
          - Action:
              - "SQS:*"
            Effect: "Allow"
            Resource: !GetAtt FileProcessingEventsQueue.Arn
            Principal:
              AWS: "*"
            Condition:
              StringEquals:
                aws:SourceAccount: !Sub "${AWS::AccountId}"
  # Lambda function and role for handling the SQS events
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: InlinePolicy
          PolicyDocument:
            Statement:
              - Action:
                  - "SQS:SendMessage"
                  - "SQS:ReceiveMessage"
                  - "SQS:DeleteMessage"
                  - "SQS:GetQueueAttributes"
                Effect: Allow
                Resource: "*"
  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: "Lambda for the event processing"
      Runtime: "python3.7"
      Role: !GetAtt LambdaExecutionRole.Arn
      Handler: index.handler
      MemorySize: 128
      Timeout: 60
      Code:
        ZipFile: |
          import json
          import logging

          # Configure logging

          LOGGER = logging.getLogger(__name__)
          LOGGER.setLevel(logging.DEBUG)

          def handler(event, context):
              LOGGER.debug(json.dumps(event, indent=4, default=str))
              data = {'status': 'event printed'}
              return data
  SQSAndLambdaMapping:
    Type: AWS::Lambda::EventSourceMapping
    Properties:
      EventSourceArn: !GetAtt FileProcessingEventsQueue.Arn
      FunctionName: !GetAtt LambdaFunction.Arn
Outputs:
  SQSQueue:
    Description: File processing queue
    Value: !Ref FileProcessingEventsQueue