In order to send messages via mTurk to SQS the corresponding permission to SendMessage
should be given. In documentation they say that the Principal should be mturk-requester.amazonaws.com
. So the policy that works looks like:
"Principal": {
"Service": "mturk-requester.amazonaws.com"
},
This can be done via Boto3.SQS.addPermission. Like that:
response = client.add_permission(
QueueUrl='string',
Label='string',
AWSAccountIds=[
'string',
],
Actions=[
'string',
]
)
but I fail to understand how I can add the correct Principal to AWSAccountIds
field. All my attempts to use mturk-requester.amazonaws.com
there failed.
What am I doing wrong?
I think you're battling some erroneous MTurk documentation (i.e. the example policy document is invalid), as well as some under-documented Boto3 behavior (i.e. you can't pass a complex structure to SQS.add_permission
).
I was able to programmatically add the policy by using set_queue_attributes
instead of add_permission
.
import re
import json
q = client.create_queue(QueueName='queue1001')
q_parts = re.search('(\d+)/(.+)$', q['QueueUrl'])
aws_id = q_parts.group(1)
q_name = q_parts.group(2)
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "mturk-requester.amazonaws.com"
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:{}:{}".format(aws_id, q_name),
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
client.set_queue_attributes(QueueUrl=q['QueueUrl'], Attributes={'Policy': json.dumps(policy)})
The main difference being the use of
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
instead of
"aws:SecureTransport":"true"
which doesn't parse in the AWS Policy Validator.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With