Reputation: 57
CloudFormation - not able to create SQS Policy
I am trying to create a SQSQueue and attach permission to it via SQS::QueuePolicy. Following is my cloud Formation template -
Template
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySQS": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "QueueName1"
}
},
"MySQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Fn::GetAtt" : ["MySQS", "Arn"]
}
],
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["1234567689111"]
},
"Action": [
"SQS:SendMessage"
]
}
]
}
}
}
}
}
Error
I tried creating stack via AWS Console, SQS Queue creation is successful ,but receiving below error for SQS policy creation -
The specified queue does not exist for this wsdl version. (Service: AmazonSQS; Status Code: 400; Error Code: AWS.SimpleQueueService.NonExistentQueue; Request ID: e2611b4d-6166-5bf3-9205-4d0590e34f84)
I have referred the documentation but can't figure out what the problem is? Any ideas what is wrong here?
Upvotes: 3
Views: 3773
Answers (1)
Reputation: 270154
From AWS::SQS::QueuePolicy - AWS CloudFormation:
Queues: The URLs of the queues to which you want to add the policy. You can use the Ref function to specify an
AWS::SQS::Queueresource.
Also, the policy needs to refer to the Resource that is being permitted, which is the Queue. Yes, it might seem funny that the Queue is being referenced twice, but the first reference is where to put the policy, the second one is granting access to the specific queue.
The policy was also missing a Version parameter.
Therefore, use:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySQS": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "QueueName1"
}
},
"MySQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Ref": "MySQS" <--- Changed
}
],
"PolicyDocument": {
"Id": "QueuePolicy",
"Version": "2012-10-17", <--- Added
"Statement": [
{
"Action": [
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": { <--- Added
"Fn::GetAtt": [
"MySQS",
"Arn"
]
},
"Principal": {
"AWS": [
"*" <--- See note below
]
}
}
]
}
}
}
}
}
This works fine with a Principal as shown. Or, you could specify an IAM User with:
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},
I don't think you can simply say that the Principal is an Account ID.
Upvotes: 3
Related Questions
- AWS Cloudformation IAM Policy with Resource
- AWS ECS CloudFormation unable to create service with service discovery registry
- CloudFormation - not able to create Lambda Function
- Error in creating SQS Queue and its access policy through Cloudformation
- Why does this SQSQueuePolicy fail to create in AWS CloudFormation?
- Cannot create only IAM policy with cloudformation
- AWS Cloudformation Error: Policy has invalid resource
- CloudFormation: "The requested configuration is currently not supported"
- Cannot create ECS Service via CloudFormation
- Cloudformation template to create a role for SQS