Reputation: 57
I am trying to create a SQSQueue and attach permission to it via SQS::QueuePolicy. Following is my cloud Formation template -
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySQS": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "QueueName1"
}
},
"MySQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Fn::GetAtt" : ["MySQS", "Arn"]
}
],
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["1234567689111"]
},
"Action": [
"SQS:SendMessage"
]
}
]
}
}
}
}
}
I tried creating stack via AWS Console, SQS Queue
creation is successful ,but receiving below error for SQS policy
creation -
The specified queue does not exist for this wsdl version. (Service: AmazonSQS; Status Code: 400; Error Code: AWS.SimpleQueueService.NonExistentQueue; Request ID: e2611b4d-6166-5bf3-9205-4d0590e34f84)
I have referred the documentation but can't figure out what the problem is? Any ideas what is wrong here?
Upvotes: 3
Views: 3773
Reputation: 270154
From AWS::SQS::QueuePolicy - AWS CloudFormation:
Queues: The URLs of the queues to which you want to add the policy. You can use the Ref function to specify an
AWS::SQS::Queue
resource.
Also, the policy needs to refer to the Resource
that is being permitted, which is the Queue. Yes, it might seem funny that the Queue is being referenced twice, but the first reference is where to put the policy, the second one is granting access to the specific queue.
The policy was also missing a Version
parameter.
Therefore, use:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MySQS": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "QueueName1"
}
},
"MySQSPolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Ref": "MySQS" <--- Changed
}
],
"PolicyDocument": {
"Id": "QueuePolicy",
"Version": "2012-10-17", <--- Added
"Statement": [
{
"Action": [
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": { <--- Added
"Fn::GetAtt": [
"MySQS",
"Arn"
]
},
"Principal": {
"AWS": [
"*" <--- See note below
]
}
}
]
}
}
}
}
}
This works fine with a Principal
as shown. Or, you could specify an IAM User with:
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},
I don't think you can simply say that the Principal is an Account ID.
Upvotes: 3