本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用 AWS CloudFormation 模板创建向 Amazon SQS 队列发送消息的主题
AWS CloudFormation 允许您使用模板文件将 AWS 资源集合作为一个单元一起创建和配置。通过本部分提供的模板示例,您可以轻松部署向队列发布的主题。这些模板通过创建两个队列、创建订阅队列的主题、向队列添加策略以便主题可以向队列发送消息,以及创建IAM用户和组来控制对这些资源的访问权限,从而为您完成设置步骤。
有关使用 AWS CloudFormation 模板部署 AWS 资源的更多信息,请参阅《AWS CloudFormation 用户指南》中的 “入门”。
使用 AWS CloudFormation 模板在中设置主题和队列 AWS 账户
示例模板创建了一个 Amazon SNS 主题,该主题可以向两个 Amazon SQS 队列发送消息,并允许一个IAM群组的成员向该主题发布消息,另一个群组的成员可以从队列中读取消息。该模板还会创建添加到每个群组的IAM用户。
您可以将模板内容复制到文件中,您也可以从 “模板” 页面下载AWS
CloudFormation 模板
M 设置ySNSTopic 为发布到两个已订阅的终端节点,即两个 Amazon SQS 队列(MyQueue1 和 MyQueue 2)。 MyPublishTopicGroup 是一个IAM群组,其成员有权ySNSTopic 使用 “发布” API 操作或 sns-p ub lish 命令向 M 发布内容。该模板创建IAM用户, MyPublishUser MyQueueUser 并为他们提供登录配置文件和访问密钥。通过该模板创建堆栈的用户将指定登录界面密码作为输入参数。该模板使用 MyPublishUserKey 和为两个IAM用户创建访问密钥 MyQueueUserKey。 AddUserToMyPublishTopicGroup 添加 MyPublishUser 到, MyPublishTopicGroup这样用户就可以拥有分配给该组的权限。
M yRDMessage QueueGroup 是一个IAM群组,其成员有权使用和DeleteMessageAPI操作从两个 Amazon SQS 队列中读取ReceiveMessage和删除消息。 AddUserToMyQueueGroup 添加 MyQueueUser 到 M 中,yRDMessageQueueGroup 这样用户就可以拥有分配给该组的权限。 MyQueuePolicy 为 M 分配ySNSTopic 向这两个队列发布通知的权限。
以下清单显示了 AWS CloudFormation 模板的内容。
{ "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "AWS CloudFormation Sample Template SNSToSQS: This Template creates an SNS topic that can send messages to two SQS queues with appropriate permissions for one IAM user to publish to the topic and another to read messages from the queues. MySNSTopic is set up to publish to two subscribed endpoints, which are two SQS queues (MyQueue1 and MyQueue2). MyPublishUser is an IAM user that can publish to MySNSTopic using the Publish API. MyTopicPolicy assigns that permission to MyPublishUser. MyQueueUser is an IAM user that can read messages from the two SQS queues. MyQueuePolicy assigns those permissions to MyQueueUser. It also assigns permission for MySNSTopic to publish its notifications to the two queues. The template creates access keys for the two IAM users with MyPublishUserKey and MyQueueUserKey. ***Warning*** you will be billed for the AWS resources used if you create a stack from this template.", "Parameters": { "MyPublishUserPassword": { "NoEcho": "true", "Type": "String", "Description": "Password for the IAM user MyPublishUser", "MinLength": "1", "MaxLength": "41", "AllowedPattern": "[a-zA-Z0-9]*", "ConstraintDescription": "must contain only alphanumeric characters." }, "MyQueueUserPassword": { "NoEcho": "true", "Type": "String", "Description": "Password for the IAM user MyQueueUser", "MinLength": "1", "MaxLength": "41", "AllowedPattern": "[a-zA-Z0-9]*", "ConstraintDescription": "must contain only alphanumeric characters." } }, "Resources": { "MySNSTopic": { "Type": "AWS::SNS::Topic", "Properties": { "Subscription": [{ "Endpoint": { "Fn::GetAtt": ["MyQueue1", "Arn"] }, "Protocol": "sqs" }, { "Endpoint": { "Fn::GetAtt": ["MyQueue2", "Arn"] }, "Protocol": "sqs" } ] } }, "MyQueue1": { "Type": "AWS::SQS::Queue" }, "MyQueue2": { "Type": "AWS::SQS::Queue" }, "MyPublishUser": { "Type": "AWS::IAM::User", "Properties": { "LoginProfile": { "Password": { "Ref": "MyPublishUserPassword" } } } }, "MyPublishUserKey": { "Type": "AWS::IAM::AccessKey", "Properties": { "UserName": { "Ref": "MyPublishUser" } } }, "MyPublishTopicGroup": { "Type": "AWS::IAM::Group", "Properties": { "Policies": [{ "PolicyName": "MyTopicGroupPolicy", "PolicyDocument": { "Statement": [{ "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Ref": "MySNSTopic" } }] } }] } }, "AddUserToMyPublishTopicGroup": { "Type": "AWS::IAM::UserToGroupAddition", "Properties": { "GroupName": { "Ref": "MyPublishTopicGroup" }, "Users": [{ "Ref": "MyPublishUser" }] } }, "MyQueueUser": { "Type": "AWS::IAM::User", "Properties": { "LoginProfile": { "Password": { "Ref": "MyQueueUserPassword" } } } }, "MyQueueUserKey": { "Type": "AWS::IAM::AccessKey", "Properties": { "UserName": { "Ref": "MyQueueUser" } } }, "MyRDMessageQueueGroup": { "Type": "AWS::IAM::Group", "Properties": { "Policies": [{ "PolicyName": "MyQueueGroupPolicy", "PolicyDocument": { "Statement": [{ "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:ReceiveMessage" ], "Resource": [{ "Fn::GetAtt": ["MyQueue1", "Arn"] }, { "Fn::GetAtt": ["MyQueue2", "Arn"] } ] }] } }] } }, "AddUserToMyQueueGroup": { "Type": "AWS::IAM::UserToGroupAddition", "Properties": { "GroupName": { "Ref": "MyRDMessageQueueGroup" }, "Users": [{ "Ref": "MyQueueUser" }] } }, "MyQueuePolicy": { "Type": "AWS::SQS::QueuePolicy", "Properties": { "PolicyDocument": { "Statement": [{ "Effect": "Allow", "Principal": { "Service": "sns.amazonaws.com" }, "Action": ["sqs:SendMessage"], "Resource": "*", "Condition": { "ArnEquals": { "aws:SourceArn": { "Ref": "MySNSTopic" } } } }] }, "Queues": [{ "Ref": "MyQueue1" }, { "Ref": "MyQueue2" }] } } }, "Outputs": { "MySNSTopicTopicARN": { "Value": { "Ref": "MySNSTopic" } }, "MyQueue1Info": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyQueue1", "Arn"] }, "URL:", { "Ref": "MyQueue1" } ] ] } }, "MyQueue2Info": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyQueue2", "Arn"] }, "URL:", { "Ref": "MyQueue2" } ] ] } }, "MyPublishUserInfo": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyPublishUser", "Arn"] }, "Access Key:", { "Ref": "MyPublishUserKey" }, "Secret Key:", { "Fn::GetAtt": ["MyPublishUserKey", "SecretAccessKey"] } ] ] } }, "MyQueueUserInfo": { "Value": { "Fn::Join": [ " ", [ "ARN:", { "Fn::GetAtt": ["MyQueueUser", "Arn"] }, "Access Key:", { "Ref": "MyQueueUserKey" }, "Secret Key:", { "Fn::GetAtt": ["MyQueueUserKey", "SecretAccessKey"] } ] ] } } } }
