CloudFormation - not able to create SQS Policy

2
votes

I am trying to create a SQSQueue and attach permission to it via SQS::QueuePolicy. Following is my cloud Formation template -

Template

{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {

    "MySQS": {
        "Type": "AWS::SQS::Queue",
        "Properties": {
            "QueueName": "QueueName1"
        }
    },
    "MySQSPolicy": {
        "Type": "AWS::SQS::QueuePolicy",
        "Properties": {
            "Queues": [
                {
                    "Fn::GetAtt" : ["MySQS", "Arn"] 
                }
            ],
            "PolicyDocument": {
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": ["1234567689111"]
                        },
                        "Action": [
                            "SQS:SendMessage"
                        ]
                    }
                ]
            }
        }
    }
}
}

Error

I tried creating stack via AWS Console, SQS Queue creation is successful ,but receiving below error for SQS policy creation -

The specified queue does not exist for this wsdl version. (Service: AmazonSQS; Status Code: 400; Error Code: AWS.SimpleQueueService.NonExistentQueue; Request ID: e2611b4d-6166-5bf3-9205-4d0590e34f84)

CloudFormation Console Error

I have referred the documentation but can't figure out what the problem is? Any ideas what is wrong here?

1
amazon-web-servicesamazon-cloudformationamazon-sqs

1 Answers

1
votes

From AWS::SQS::QueuePolicy - AWS CloudFormation:

Queues: The URLs of the queues to which you want to add the policy. You can use the Ref function to specify an AWS::SQS::Queue resource.

Also, the policy needs to refer to the Resource that is being permitted, which is the Queue. Yes, it might seem funny that the Queue is being referenced twice, but the first reference is where to put the policy, the second one is granting access to the specific queue.

The policy was also missing a Version parameter.

Therefore, use:

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "MySQS": {
            "Type": "AWS::SQS::Queue",
            "Properties": {
                "QueueName": "QueueName1"
            }
        },
        "MySQSPolicy": {
            "Type": "AWS::SQS::QueuePolicy",
            "Properties": {
                "Queues": [
                    {
                        "Ref": "MySQS"   <--- Changed
                    }
                ],
                "PolicyDocument": {
                    "Id": "QueuePolicy",
                    "Version": "2012-10-17",   <--- Added
                    "Statement": [
                        {
                            "Action": [
                                "sqs:SendMessage"
                            ],
                            "Effect": "Allow",
                            "Resource": {           <--- Added
                                "Fn::GetAtt": [
                                    "MySQS",
                                    "Arn"
                                ]
                            },
                            "Principal": {
                                "AWS": [
                                    "*"      <--- See note below
                                ]
                            }
                        }
                    ]
                }
            }
        }
    }
}

This works fine with a Principal as shown. Or, you could specify an IAM User with:

            "Principal" : {
               "AWS" : "arn:aws:iam::123456789012:user/myapp"
            },

I don't think you can simply say that the Principal is an Account ID.