2

I've been through the AWS SNS/SQS subscription instructions multiple times, and have gone through a few different blogs and StackOverflow posts trying various things. However, no matter how many times I try to publish a message to SNS and poll/receive it from SQS, it never pops out the other side. I'm hoping it's something super obvious that I'm missing, that someone with more experience/fresher eyes than me can see.

For some background, I created both SQS and SNS in the same account. I create the subscription last after I have set the access policies for both of them. And I make sure that when I do create the subscription that I get the little green checkmark that says the subscription has been confirmed. Nothing fancy, no FIFO queue, I've set the visibility timeout to 1 minute, and receive message wait time relatively low for the queue as well. I only have in the account one SQS and one SNS, so it's not like I can mess up subscribing or giving access to the wrong ones.

For my SQS access policy this is what it looks like:

{
 "Version": "2012-10-17",
 "Id": "allow_sns_access_policy",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "Service": "sns.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:<my_unique_id>:<name_of_my_queue>",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:sns:us-east-1:<my_unique_id>:<name_of_my_topic>"
        }
      }
    }
  ]
}

My SNS access policy is as follows:

{
  "Version": "2012-10-17",
  "Id": "allow_sqs_access_policy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sqs.amazonaws.com"
      },
      "Action": "sns:Subscribe",
      "Resource": "arn:aws:sqs:us-east-1:<my_unique_id>:<name_of_my_topic>",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:sns:us-east-1:<my_unique_id>:<name_of_my_queue>"
        }
      }
    }
  ]
}

I make sure to copy and paste arn resources to limit spelling mistakes. I've experimented with other things, but all of them also didn't work. This to me should work but doesn't.

ouflak
  • 2,458
  • 10
  • 44
  • 49
JackR
  • 141
  • 10
  • if everything is in the same account/region: access policies for the queue and topic are not required... can you remove these and see if it works? if you really want to lock things down and want to use access policies then maybe add only add one and test, add the other and test, that would be a good way to confirm it's an issue with the access policy and debug which policy has the issue – JD D May 18 '21 at 12:54

1 Answers1

2

I guess the policies can be finicky sometimes. I attempted to remove the policies, but that didn't work even though they're in the same region. So here is what I wound up setting for the two policies to get them to correctly communicate. Maybe someone has suggestions for how to make this better, but as of right now this is what works.

SNS policy:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "sqs.amazonaws.com"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:<region>:<topic_owner>:<topic>",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "<topic_owner>"
        }
      }
    },
    {
      "Sid": "s3-publish",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:<region>:<topic_owner>:<topic>",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "<topic_owner>"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:*:*:*"
        }
      }
    }
  ]
}

SQS Policy

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<topic_owner>:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:<region>:<topic_owner>:<queue_name>"
    },
    {
      "Sid": "topic-subscription-arn:aws:sns:<region>:<topic_owner>:<topic_name>",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:<region>:<topic_owner>:<queue_name>",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:sns:<region>:<topic_owner>:<topic_name>"
        }
      }
    }
  ]
}
JackR
  • 141
  • 10