issues with creating permissions in Boto3

Question

In order to send messages via mTurk to SQS the corresponding permission to SendMessage should be given. In documentation they say that the Principal should be mturk-requester.amazonaws.com. So the policy that works looks like:

"Principal": {
  "Service": "mturk-requester.amazonaws.com"
 },

This can be done via Boto3.SQS.addPermission. Like that:

response = client.add_permission(
   QueueUrl='string',
   Label='string',
    AWSAccountIds=[
       'string',
   ],
  Actions=[
      'string',
  ]
 )

but I fail to understand how I can add the correct Principal to AWSAccountIds field. All my attempts to use mturk-requester.amazonaws.com there failed.

What am I doing wrong?

Answer 1

I think you're battling some erroneous MTurk documentation (i.e. the example policy document is invalid), as well as some under-documented Boto3 behavior (i.e. you can't pass a complex structure to SQS.add_permission).

I was able to programmatically add the policy by using set_queue_attributes instead of add_permission.

import re
import json

q = client.create_queue(QueueName='queue1001')

q_parts = re.search('(\d+)/(.+)$', q['QueueUrl'])
aws_id = q_parts.group(1)
q_name = q_parts.group(2)

policy = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "mturk-requester.amazonaws.com"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:{}:{}".format(aws_id, q_name),
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}

client.set_queue_attributes(QueueUrl=q['QueueUrl'], Attributes={'Policy': json.dumps(policy)})

The main difference being the use of

"Condition": {
  "Bool": {
    "aws:SecureTransport": "true"
  }
}

instead of

"aws:SecureTransport":"true"

which doesn't parse in the AWS Policy Validator.