What is wrong with this SQS Queue Policy Document

Question

I'm trying to create an SQS Queue with Access Permissions that allow a role in another AWS account the ability to use this Queue with a Lambda Trigger via cloudformation.

The error I'm getting is:

Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue; Request ID: aa188680-cebc-5a3f-b3c1-db9ef554ae64; Proxy: null)

The resource the issue is occurring on:

  QueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties: 
      PolicyDocument: 
        Statement:
        - Sid: EnableLambda
          Action:
          - sqs:DeleteMessage
          - sqs:GetQueueAttributes
          - sqs:ReceiveMessage
          Effect: Allow
          Resource: !GetAtt Queue.Arn
          Principal:
            AWS: !Sub arn:aws:iam::${LambdaAccountId}:role/${LambdaRoleName}
      Queues: 
        - !Ref Queue

I've been banging my head against a brick wall on this. What am I doing wrong?

Answer 1

The issue turned out to be that the Lambda role needed to exist before I created this permissions doc. It looks like AWS does do some sort of checking if the resource exists prior to accepting the doc. I was able to swap out the role for one that did exist and it worked fine. I then changed the order my cfn was creating this so that the role would exist first and it worked.

Answer 2

The value of the attribute "AWS" accepts a list of values.

The syntax should be:

QueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties: 
      PolicyDocument: 
        Statement:
         - Sid: EnableLambda
           Action:
             - sqs:DeleteMessage
             - sqs:GetQueueAttributes
             - sqs:ReceiveMessage
          Effect: Allow
          Resource: !GetAtt Queue.Arn
          Principal:
            AWS: 
             - !Sub arn:aws:iam::${LambdaAccountId}:role/${LambdaRoleName}
      Queues: 
        - !Ref Queue