Amazon Simple Notification Service
开发人员指南 (API Version 2010-03-31)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

利用 AWS CloudFormation 模板创建向 Amazon SQS 队列发送消息的主题

利用 AWS CloudFormation,您可以使用模板文件,创建并配置 AWS 资源作为单一单元。通过本部分提供的模板示例,您可以轻松部署向队列发布的主题。模板通过以下操作协助您处理设置步骤,即创建两个队列、创建订阅队列的主题、添加策略至队列,以便主题能够向队列发送消息,以及创建 IAM 用户和群组,控制对这些资源的访问。

有关利用 AWS CloudFormation 模板部署 AWS 资源的更多信息,请参阅 AWS CloudFormation用户指南 中的 入门指南

利用 AWS CloudFormation 模板在 AWS 账户内设置主题和队列

该模板示例创建 Amazon SNS 主题,使该主题能够向具备不同权限的两个 Amazon SQS 队列发送信息,以便一个 IAM 群组的成员能够向该主题发布消息,而另一个组群则从该队列读取消息。模板还用于创建可添加至各个群组的 IAM 用户。

您可以下载此模板 (https://s3.amazonaws.com/cloudformation-templates-us-east-1/SNSToSQS.template),位于 AWS CloudFormation 示例模板页面

MySNSTopic 设定为发布到两个已订阅终端节点,这两个节点为两个 Amazon SQS 队列(MyQueue1 和 MyQueue2)。MyPublishTopicGroup 为 IAM 群组,该组成员拥有通过 Publish API 操作或 sns-publish 命令向 MySNSTopic 进行发布的权限。模板将创建 IAM 用户 MyPublishUser 和 MyQueueUser,并为上述用户提供登录界面和访问密钥。通过该模板创建堆栈的用户将指定登录界面密码作为输入参数。模板为拥有 MyPublishUserKey 和 MyQueueUserKey 的两个 IAM 用户创建访问密钥。AddUserToMyPublishTopicGroup 将 MyPublishUser 添加到 MyPublishTopicGroup,以便用户拥有分配至该群组的权限。

MyRDMessageQueueGroup 是 IAM 群组,该组用户拥有通过 ReceiveMessageDeleteMessage API 操作来读取和删除来自两个 Amazon SQS 队列的消息的权限。AddUserToMyQueueGroup 将 MyQueueUser 添加到 MyRDMessageQueueGroup,以便用户拥有分配至该群组的权限。MyQueuePolicy 分配 MySNSTopic 权限,以便向两个队列发布通知。

Copy
{ "AWSTemplateFormatVersion":"2010-09-09", "Description":"This Template creates an Amazon SNS topic that can send messages to two Amazon SQS queues with appropriate permissions for one IAM user to publish to the topic and another to read messages from the queues. MySNSTopic is set up to publish to two subscribed endpoints, which are two Amazon SQS queues (MyQueue1 and MyQueue2). MyPublishUser is an IAM user that can publish to MySNSTopic using the Publish API. MyTopicPolicy assigns that permission to MyPublishUser. MyQueueUser is an IAM user that can read messages from the two Amazon SQS queues. MyQueuePolicy assigns those permissions to MyQueueUser. It also assigns permission for MySNSTopic to publish its notifications to the two queues. The template creates access keys for the two IAM users with MyPublishUserKey and MyQueueUserKey. Note that you will be billed for the AWS resources used if you create a stack from this template.", "Parameters":{ "MyPublishUserPassword":{ "NoEcho":"true", "Type":"String", "Description":"Password for the IAM user MyPublishUser", "MinLength":"1", "MaxLength":"41", "AllowedPattern":"[a-zA-Z0-9]*", "ConstraintDescription":"must contain only alphanumeric characters." }, "MyQueueUserPassword":{ "NoEcho":"true", "Type":"String", "Description":"Password for the IAM user MyQueueUser", "MinLength":"1", "MaxLength":"41", "AllowedPattern":"[a-zA-Z0-9]*", "ConstraintDescription":"must contain only alphanumeric characters." } }, "Resources":{ "MySNSTopic":{ "Type":"AWS::SNS::Topic", "Properties":{ "Subscription":[ { "Endpoint":{"Fn::GetAtt":["MyQueue1","Arn"]}, "Protocol":"sqs" }, { "Endpoint":{"Fn::GetAtt":["MyQueue2","Arn"]}, "Protocol":"sqs" } ] } }, "MyQueue1":{ "Type":"AWS::SQS::Queue" }, "MyQueue2":{ "Type":"AWS::SQS::Queue" }, "MyPublishUser":{ "Type":"AWS::IAM::User", "Properties":{ "LoginProfile":{ "Password":{"Ref":"MyPublishUserPassword"} } } }, "MyPublishUserKey":{ "Type":"AWS::IAM::AccessKey", "Properties":{ "UserName":{"Ref":"MyPublishUser"} } }, "MyPublishTopicGroup":{ "Type":"AWS::IAM::Group", "Properties":{ "Policies":[ { "PolicyName":"MyTopicGroupPolicy", "PolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "sns:Publish" ], "Resource":{"Ref":"MySNSTopic"} } ]} } ] } }, "AddUserToMyPublishTopicGroup":{ "Type":"AWS::IAM::UserToGroupAddition", "Properties":{ "GroupName":{"Ref":"MyPublishTopicGroup"}, "Users":[{"Ref":"MyPublishUser"}] } }, "MyQueueUser":{ "Type":"AWS::IAM::User", "Properties":{ "LoginProfile":{ "Password":{"Ref":"MyQueueUserPassword"} } } }, "MyQueueUserKey":{ "Type":"AWS::IAM::AccessKey", "Properties":{ "UserName":{"Ref":"MyQueueUser"} } }, "MyRDMessageQueueGroup":{ "Type":"AWS::IAM::Group", "Properties":{ "Policies":[ { "PolicyName":"MyQueueGroupPolicy", "PolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "sqs:DeleteMessage", "sqs:ReceiveMessage" ], "Resource":[ {"Fn::GetAtt":["MyQueue1","Arn"]}, {"Fn::GetAtt":["MyQueue2","Arn"]} ] } ]} } ] } }, "AddUserToMyQueueGroup":{ "Type":"AWS::IAM::UserToGroupAddition", "Properties":{ "GroupName":{"Ref":"MyRDMessageQueueGroup"}, "Users":[{"Ref":"MyQueueUser"}] } }, "MyQueuePolicy":{ "Type":"AWS::SQS::QueuePolicy", "Properties":{ "PolicyDocument":{ "Version":"2012-10-17", "Id":"MyQueuePolicy", "Statement":[ { "Sid":"Allow-SendMessage-To-Both-Queues-From-SNS-Topic", "Effect":"Allow", "Principal":"*", "Action":["sqs:SendMessage"], "Resource":"*", "Condition":{ "ArnEquals":{ "aws:SourceArn":{"Ref":"MySNSTopic"} } } } ] }, "Queues":[{"Ref":"MyQueue1"},{"Ref":"MyQueue2"}] } } }, "Outputs":{ "MySNSTopicTopicARN":{ "Value":{"Ref":"MySNSTopic"} }, "MyQueue1Info":{ "Value":{"Fn::Join":[ " ", [ "ARN:", {"Fn::GetAtt":["MyQueue1","Arn"]}, "URL:", {"Ref":"MyQueue1"} ] ]} }, "MyQueue2Info":{ "Value":{"Fn::Join":[ " ", [ "ARN:", {"Fn::GetAtt":["MyQueue2","Arn"]}, "URL:", {"Ref":"MyQueue2"} ] ]} }, "MyPublishUserInfo":{ "Value":{"Fn::Join":[ " ", [ "ARN:", {"Fn::GetAtt":["MyPublishUser","Arn"]}, "Access Key:", {"Ref":"MyPublishUserKey"}, "Secret Key:", {"Fn::GetAtt":["MyPublishUserKey","SecretAccessKey"]} ] ]} }, "MyQueueUserInfo":{ "Value":{"Fn::Join":[ " ", [ "ARN:", {"Fn::GetAtt":["MyQueueUser","Arn"]}, "Access Key:", {"Ref":"MyQueueUserKey"}, "Secret Key:", {"Fn::GetAtt":["MyQueueUserKey","SecretAccessKey"]} ] ]} } } }