Reputation: 984
Cloudformation SQS Policy for S3 events
I'm trying to create a policy for an SQS queue which would allow any S3 bucket to send events to the queue. I don't seem to be able to do this for a specific S3 queue because I end up with circular dependencies.
I've created a cloudformation template which will create the queue and policy, but when I try and manually setup the S3 bucket to send the events I get a message saying
Permissions on the destination queue do not allow S3 to publish notifications from this bucket
The template section that I'm using to create the policy is:
"SQSNotifcationFromS3" : {
"Type" : "AWS::SQS::QueuePolicy",
"DependsOn" : "S3Notifications",
"Properties" : {
"PolicyDocument" : {
"Version": "2012-10-17",
"Id": "SQSIDsimon",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:*",
"Resource": { "Ref" : "S3Notifications"}
}
]
},
"Queues" : [ { "Ref" : "S3Queue" } ]
}
}
Upvotes: 6
Views: 6658
Answers (2)
Reputation: 984
In the end, I found a solution for this - I set the permissions on the SQS so that any S3 bucket could add events to the queue:
"S3EventQueuePolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"DependsOn" : [ "S3EventQueue" ],
"Properties" : {
"PolicyDocument" : {
"Id": "SQSPolicy",
"Statement": [
{
"Sid": "SQSEventPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:*",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::*"
}
}
}
]
},
"Queues" : [ { "Ref" : "S3EventQueue"} ]
}
},
Upvotes: 10
Reputation: 101
In the AWS console, did you confirm that the queue has successfully granted permissions to the s3 bucket? In SQS, select the queue and look at the permissions tab.
Looking at your template snippet above, I'm not sure what "S3Notifications" points to but I'll assume it's the S3 bucket. The SQS policy document "Resource" should be the ARN of the S3 bucket. The "Ref" function on an S3 bucket has a Reference Value of "Name". You need ARN I believe.
See: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html
and: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html
Upvotes: 0
Related Questions
- Incorrect S3 bucket policy is detected for bucket in CloudFormation
- AWS: How to update an existing S3 bucket-policy via CloudFormation?
- Unable to validate the following destination configurations in Cloudformation for S3 to SQS notifications with a configured SQS policy
- CloudFormation S3 NotificationConfiguration to SQS
- How to write the cloudformation subscription between Sns event topic and sqs event queue
- The notification destination service region is not valid for the bucket location constraint when creating SQS Event on S3 Bucket via Cloudformation
- aws cloudformation s3 event notification to SQS not working
- CloudFormation - not able to create SQS Policy
- How to change s3 bucket policies with cloudformation?
- Adding Cloudformation Stack Events to SNS