Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cloudformation SQS Policy for S3 events

Tags:

amazon-web-services

amazon-s3

amazon-sqs

amazon-cloudformation

I'm trying to create a policy for an SQS queue which would allow any S3 bucket to send events to the queue. I don't seem to be able to do this for a specific S3 queue because I end up with circular dependencies.

I've created a cloudformation template which will create the queue and policy, but when I try and manually setup the S3 bucket to send the events I get a message saying

Permissions on the destination queue do not allow S3 to publish notifications from this bucket

The template section that I'm using to create the policy is:

    "SQSNotifcationFromS3" : {
        "Type" :        "AWS::SQS::QueuePolicy",
        "DependsOn" : "S3Notifications",
        "Properties" : {
            "PolicyDocument" : {
                "Version": "2012-10-17",
                "Id": "SQSIDsimon",
                "Statement": [
                    {
                        "Sid": "example-statement-ID",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "s3.amazonaws.com"
                            },
                        "Action": "SQS:*",
                        "Resource": { "Ref" : "S3Notifications"}
                    }
                ]                  
            },
            "Queues" :      [ { "Ref" : "S3Queue" } ]
        }
    }
like image 688
SimonH Avatar asked Aug 24 '16 11:08

SimonH

People also ask

Can S3 send events to SQS?

In the preceding example permissions statement, the S3 bucket hellobucket, owned by customer account 123456789, can send ObjectCreated event notifications to the specified SQS queue.

What is default policy for SQS?

The default policy allows only the queue owner to send and receive messages. Open the Amazon SQS console at https://console.aws.amazon.com/sqs/ . In the navigation pane, choose Queues. Choose a queue and choose Edit.

Can an SQS queue have multiple policies?

The aws documentation for SQS says multiple policies could be applied to a single queue; however the cloudformation QueuePolicy does not have explicit mention on whether this is allowed or not.

1 Answers

In the end, I found a solution for this - I set the permissions on the SQS so that any S3 bucket could add events to the queue:

    "S3EventQueuePolicy" : {
        "Type" : "AWS::SQS::QueuePolicy",
        "DependsOn" : [ "S3EventQueue" ],
        "Properties" : {
            "PolicyDocument" : {
                "Id": "SQSPolicy",
                "Statement": [
                    {
                        "Sid": "SQSEventPolicy",
                        "Effect": "Allow",
                        "Principal": "*",
                        "Action": "SQS:*",
                        "Resource": "*",
                        "Condition": {
                            "ArnLike": {
                                "aws:SourceArn": "arn:aws:s3:::*"
                            }
                        }
                    }
                ]
            },
            "Queues" : [ { "Ref" : "S3EventQueue"} ]
        }            
    },
like image 152
SimonH Avatar answered Oct 27 '22 01:10

SimonH

Sign in to Comment

Related questions

do I need route53 to bind domain to ec2?
How to change image permission (AMI) for AWS using boto/python?
Could not initialize class com.amazonaws.services.sqs.AmazonSQSClient
Subscribing to AWS SQS Messages
mobile apps: restful api or sdk dynamodb
How To Set Folder Permissions in Elastic Beanstalk Using YAML File?
Uploading Large File to S3 with Ruby Fails with Out of Memory Error, How to Read and Upload in Chunks?
Amazon SQS, Is it possible to fetch messages from SQS on basis of Sender ID
am getting error after i created amazon coginto in android
How to Download entire Folder located on S3 Bucket?
Importing Swagger API to AWS API Gateway using command line tool
SQS ExpiredToken: The security token included in the request is expired status code: 403
How can I install a recent version of GDAL on Amazon Linux?
Maximum no.of connections that can be held by s3
Connect to ElastiCache cluster using Api Gateway
Can I restrict CloudWatch Actions based on Resource or Condition?
EC2 Instance scheduled for retirement
AWS Cloud Formation Elastic Load Balancing Account ID
How to return HTML page stored on AWS S3 bucket from a AWS Lambda function
AWS Elastic Beanstalk Environment Variables in Python

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!