Access Denied Error when trying to post messages to SQS

1
votes

I am trying to create an API that logs JSON request bodies in an SQS queue.

I have set up a basic queue in SQS in both the FIFO and non-FIFO layouts. I have the same problem each time. My policy for the SQS queue is as follows:

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:2222222222222:API-toSQS.fifo/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "Sid22222222222",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:2222222222222:API-toSQS.fifo"
    }
  ]
}

I have created a policy which i give all access to SQS for writing abilities. And I have created a role for API Gateway in which i assign the aforementioned policy to. Here is the policy i have assigned to this role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:ChangeMessageVisibility",
                "sqs:DeleteMessageBatch",
                "sqs:SendMessageBatch",
                "sqs:PurgeQueue",
                "sqs:DeleteQueue",
                "sqs:SendMessage",
                "sqs:CreateQueue",
                "sqs:ChangeMessageVisibilityBatch",
                "sqs:SetQueueAttributes"
            ],
            "Resource": "*"
        }
    ]
}

I have set up an API gateway. I have created a POST method. I've tried enabling the CORS option (which create an OPTIONS method) and i've done it without CORS enabled. My ARN for my security policy is correct, i have triple checked it. and i opt for the override path and have the full https URL of my SQS queue there, i have triple checked this as well. My endpoint is SQS of course.

For integration request i have a HTTP header for Content-Type and then a Mapped From as 'application/x-www-form-urlencoded'

in mapping templates i have passthrough set as never and have a Content-Type set to application/json is also have included the template Action=SendMessage&MessageBody=$input.body to translate from body to url as per a walkthrough i found.

i am getting the following error in the API Gateway test area

<AccessDeniedException> <Message>Unable to determine service/operation name to be authorized</Message> </AccessDeniedException>

Is there a AWS guru out there who can steer me in the right direction?

to clarify my issue is that it should be adding my test body

{"peanutbutter":"jelly"}

to the SQS queue, but no luck.

I can send url encoded messages to SQS all day from postman, but i want my business partners to be able to send a clean JSON object via http (postman, node, etc, whatever..)

thank you!

2
aws-api-gatewayamazon-iamamazon-sqs
@KenWhite will do. changing now - sao

2 Answers

3
votes

i opt for the override path and have the full https URL of my SQS queue there

In Path Override type only path part of SQS queue URL 2222222222222/API-toSQS.fifo.

Also, MessageGroupId is required for fifo queues and if ContentBasedDeduplication is not enabled MessageDeduplicationId is required too.

Example of mapping template:

Action=SendMessage&MessageGroupId=$input.params('MessageGroupId')&MessageDeduplicationId=$input.params('MessageDeduplicationId')&MessageBody=$input.body

in this case you need to define MessageGroupId and MessageDeduplicationId as required query string parameters in Method Request and obviously pass them on requests to the API endpoint.

0
votes

For anyone having this same issue, removing all of the settings from the integration request in API Gateway and using Lambda as a "middleman" worked. Lambda is a great go-between for almost all of the AWS services. I would prefer to have a API Gateway -> SQS stack instead of using API Gateway -> Lambda -> SQS, but for whatever reason the way the lambda handles the HTTP request as opposed to trying to configure API Gateway to do the same, works without issue.

you will not need any external resources in Lambda, so no importing Zip files. Just import AWS and SQS. use the basic structure to accept the event, then take the body (as JSON in my case) and sqs.sendMessage to your queue.

hope this helps anyone with the same issue.