Menu
I'm trying to create a policy for an SQS queue which would allow any S3 bucket to send events to the queue. I don't seem to be able to do this for a specific S3 queue because I end up with circular dependencies.
I've created a cloudformation template which will create the queue and policy, but when I try and manually setup the S3 bucket to send the events I get a message saying
Permissions on the destination queue do not allow S3 to publish notifications from this bucket
The template section that I'm using to create the policy is:
"SQSNotifcationFromS3" : {
"Type" : "AWS::SQS::QueuePolicy",
"DependsOn" : "S3Notifications",
"Properties" : {
"PolicyDocument" : {
"Version": "2012-10-17",
"Id": "SQSIDsimon",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SQS:*",
"Resource": { "Ref" : "S3Notifications"}
}
]
},
"Queues" : [ { "Ref" : "S3Queue" } ]
}
}
688
asked Aug 24 '16 11:08
In the preceding example permissions statement, the S3 bucket hellobucket, owned by customer account 123456789, can send ObjectCreated event notifications to the specified SQS queue.
The default policy allows only the queue owner to send and receive messages. Open the Amazon SQS console at https://console.aws.amazon.com/sqs/ . In the navigation pane, choose Queues. Choose a queue and choose Edit.
The aws documentation for SQS says multiple policies could be applied to a single queue; however the cloudformation QueuePolicy does not have explicit mention on whether this is allowed or not.
In the end, I found a solution for this - I set the permissions on the SQS so that any S3 bucket could add events to the queue:
"S3EventQueuePolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"DependsOn" : [ "S3EventQueue" ],
"Properties" : {
"PolicyDocument" : {
"Id": "SQSPolicy",
"Statement": [
{
"Sid": "SQSEventPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:*",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::*"
}
}
}
]
},
"Queues" : [ { "Ref" : "S3EventQueue"} ]
}
},
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With