Why does Set-SQSQueueAttribute fail with an 'InvalidOperationException: Invalid value for the parameter Policy' error?

4
votes

Here is my issue, other than being new to AWS. I have been given the task of reproducing our production site that is in US-East-1 to US-West-2 for a DR site. I am running into an issue with creating the SNS alerts. The following code was from an AWS example and using the Policy from our JSON export. Whenenver I include this into my main PS script, I get the following error:

Error:

Set-SQSQueueAttribute : Invalid value for the parameter Policy. At line:37 char:5 + Set-SQSQueueAttribute -QueueUrl $qURL -Attribute @{ Policy=$SNSpo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Amazon.PowerShe...AttributeCmdlet:SetSQSQ ueueAttributeCmdlet) [Set-SQSQueueAttribute], InvalidOperationException + FullyQualifiedErrorId : Amazon.SQS.AmazonSQSException,Amazon.PowerShell.Cmdlets.SQS. SetSQSQueueAttributeCmdlet

Code:

$qURL = New-SQSQueue -QueueName "Test-Queue"
$topicARN = New-SNSTopic -Name "Test-Topic" -Region "us-west-2"

$SNSpolicy = @"
{
     "Version": "2008-10-17",
     "Id": "__default_policy_ID",
     "Statement": [
          {
           "Sid": "__default_policy_ID",
           "Effect": "Allow",
           "Principal": {
                "AWS": "*"
          },
           "Action": [
                "SNS:Subscribe",
                "SNS:ListSubscriptionsByTopic",
                "SNS:DeleteTopic",
                "SNS:GetTopicAttributes",
                "SNS:Publish",
                "SNS:RemovePermission",
                "SNS:AddPermission",
                "SNS:Receive",
                "SNS:SetTopicAttributes"
           ],
           "Resource": "arn:aws:sqs:us-west-2:123456789012:Test-Queue",
           "Condition": {
                "StringEquals": {
                     "AWS:SourceOwner": $topicARN
                }
           }
     ]
}
"@

# set the policy
Set-SQSQueueAttribute -QueueUrl $qURL -Attribute @{ Policy=$SNSpolicy }
1
powershellamazon-web-servicesamazon-s3aws-powershell
I have no experience with AWS, but if that JSON policy is an export from somewhere, should you import it somehow before using it - e.g. with ConvertFrom-JSON to make it a live PowerShell datastructure?TessellatingHeckler

1 Answers

4
votes

I just ran the example given by powershell using "Get-Help Set-SQSQueueAttribute -Detailed", and it worked without issue.

Based on the PowerShell example working, and the specific error you received, it would suggest there is something amiss with the specific policy you are passing. I would dumb your policy down until it works, and then keep adding things incrementally until it breaks to find out what it doesnt like.

Furthermore: The Set-SQSQueueAttribute method only accepts a MAX of 7 action parameters, AND it does not accept ANY of the ones you mentioned in your code. Valid actions would be:

  • SendMessage
  • ReceiveMessage
  • DeleteMessage
  • ChangeMessageVisibility
  • GetQueueAttributes
  • GetQueueUrl

One thing I noticed different about your example that stood out versus the example that worked for me below is this:

Working example code: 

    "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "$topicarn"
          }
      }

Your code:

       "Condition": {
            "StringEquals": {
                 "AWS:SourceOwner": $topicARN
            }
       }

Example that worked for me:

$qurl = New-SQSQueue -QueueName "myQueue" -Region 'us-east-1' -AccessKey 'accesskey' -SecretKey 'secretkey'
$topicarn = New-SNSTopic -Name "myTopic"

$qarn = (Get-SQSQueueAttribute -QueueUrl $qurl -AttributeName "QueueArn").QueueARN

# construct the policy and inject arns
$policy = @"
{
  "Version": "2008-10-17",
  "Id": "$qarn/SQSPOLICY",
  "Statement": [
      {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "SQS:SendMessage",
      "Resource": "$qarn",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "$topicarn"
          }
      }
    }
  ]
}
"@

Set-SQSQueueAttribute -QueueUrl $qurl -Attribute @{ Policy=$policy }