- 最新
- 最多得票
- 最多評論
Hi there,
Adding onto the response above, here's another example with a sample lambda function IoT rule and error action, however I would also like to point out the SSE-KMS permission requirement. Since the S3 bucket is configured with SSE-KMS you may need the IoT IAM Role seen in "roleArn" section below, to have the correct KMS key policy permissions to write to the S3 bucket, you can find the steps to add these here [1][2][3].
{
"sql": "expression",
"ruleDisabled": false,
"awsIotSqlVersion": "2016-03-23",
"actions": [{
"lambda": {
"functionArn": "arn:aws:lambda:us-west-2:123456789012:function:my-lambda-function"
}
}],
"errorAction": {
"s3": {
"roleArn": "arn:aws:iam::123456789012:role/aws_iot_s3",
"bucketName": "message-processing-errors",
"key": "${replace(topic(), '/', '-') + '-' + timestamp() + '-' + newuuid()}"
}
}
}
Please find the resources below for more information :
-
[1] Allowing users/roles to access KMS S3 : https://repost.aws/knowledge-center/s3-bucket-access-default-encryption
-
[2] Granting an AWS IoT rule the access it requires - https://docs.aws.amazon.com/iot/latest/developerguide/iot-create-role.html
-
[3] KMS permissions required for access : https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/bk_cloud-data-access/content/SSE-KMS-permissions.html
Hi - I am assuming that you referring to this https://docs.aws.amazon.com/iot/latest/developerguide/rule-error-handling.html. Yes the error action can write data to an Amazon S3 bucket. For example see errorAction
{
"sql" : "SELECT * FROM ..."
"actions" : [{
"dynamoDB" : {
"table" : "PoorlyConfiguredTable",
"hashKeyField" : "AConstantString",
"hashKeyValue" : "AHashKey"}}
],
"errorAction" : {
"s3" : {
"roleArn": "arn:aws:iam::123456789012:role/aws_iot_s3",
"bucketName" : "message-processing-errors",
"key" : "${replace(topic(), '/', '-') + '-' + timestamp() + '-' + newuuid()}"
}
}
}
If you want to test, you can do like this change the permission of the role which invokes the lambda function so that that error fails.
Hi Nitin, I am, but I'm sending to a SSE-KMS bucket and I see @Panashe has added some more detail on how to achieve this. Thanks for the role permissions suggestion............ah, I see the roleArn statement in you example thanks
相關內容
AWS 官方已更新 2 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 3 年前
Hi Panashe, thanks. I'll check how i can assign permissions or grants to IoT to write to the bucket.