With the following code, I can add a permission using my AWS account number but the queue does not receive any messages from SNS.
AddPermissionRequest addPermissionRequest = new AddPermissionRequest();
addPermissionRequest.ActionName.Add("SendMessage");
addPermissionRequest.ActionName.Add("ReceiveMessage");
addPermissionRequest.QueueUrl = queueUrl;
addPermissionRequest.Label = General.IpAddressAWSFriendly;
addPermissionRequest.AWSAccountId.Add(AWS_ACCOUNT_ID);
sqs.AddPermission(addPermissionRequest);
But, when I try to set the permission via a wildcard (*) for everybody:
addPermissionRequest.AWSAccountId.Add("*");
it gives me an error. If I manually add the permission in the AWS SQS console and specify
SendMessage
ReceiveMessage
for the allowed actions and for the principle, I set it to "everybody", the queue does receive messages from my SNS topic. So, obviously, I'm doing something wrong but I don't see it anymore.
Any help would be great! I wish Amazon would have examples, the example that comes with the SDK does not show anything about setting policies or permissions. Nothing is shown in the online documentation, either. Frustrating.
Attach a permission policy to a user in another AWS account – To grant user permissions to create an Amazon SQS queue, attach an Amazon SQS permissions policy to a user in another AWS account. Cross-account permissions don't apply to the following actions: AddPermission. CreateQueue.
AWS SQS helps in sending, storing, and receiving messages without the fear of losing them in the process. These messages can store up to 256 KB of data as text in formats such as JSON, XML, etc. All these messages can be retrieved by the applications with the use of AWS SQS API.
The aws documentation for SQS says multiple policies could be applied to a single queue; however the cloudformation QueuePolicy does not have explicit mention on whether this is allowed or not.
Fortunately, I figured it out myself since I received no responses here. I really wish Amazon would provide better documentation for C# developers on the .Net framework and not just for script kiddies.
Anyways, I ended up creating a full blown Policy object and passed that to the SQS. I used the AWS SDK v1.5 version and not the newer 2.0 (in beta right now) simply because it works for now and I was too lazy to change it to the newer 2.0 version.
Here is the bit of code you will need to programmatically create a policy in C# for an SQS Queue with a condition to only use that queue with an SNS topic:
// 4. Set the queue policy to allow SNS to publish messages
ActionIdentifier[] actions = new ActionIdentifier[2];
actions[0] = SQSActionIdentifiers.SendMessage;
actions[1] = SQSActionIdentifiers.ReceiveMessage;
Policy sqsPolicy = new Policy()
.WithStatements(new Statement(Statement.StatementEffect.Allow)
.WithPrincipals(Principal.AllUsers)
.WithResources(new Resource(queueArn))
.WithConditions(ConditionFactory.NewSourceArnCondition(_AWSSNSArn))
.WithActionIdentifiers(actions));
SetQueueAttributesRequest setQueueAttributesRequest = new SetQueueAttributesRequest();
List<Amazon.SQS.Model.Attribute> attributes = new List<Amazon.SQS.Model.Attribute>();
Amazon.SQS.Model.Attribute attribute = new Amazon.SQS.Model.Attribute();
attribute.Name = "Policy";
attribute.Value = sqsPolicy.ToJson();
attributes.Add(attribute);
setQueueAttributesRequest.QueueUrl = queueUrl;
setQueueAttributesRequest.Attribute = attributes;
sqs.SetQueueAttributes(setQueueAttributesRequest);
I hope this helps someone.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With