TechQA.

SNS and SQS access problem, no messages received

2.9k views Asked by At

I've been through the AWS SNS/SQS subscription instructions multiple times, and have gone through a few different blogs and StackOverflow posts trying various things. However, no matter how many times I try to publish a message to SNS and poll/receive it from SQS, it never pops out the other side. I'm hoping it's something super obvious that I'm missing, that someone with more experience/fresher eyes than me can see.

For some background, I created both SQS and SNS in the same account. I create the subscription last after I have set the access policies for both of them. And I make sure that when I do create the subscription that I get the little green checkmark that says the subscription has been confirmed. Nothing fancy, no FIFO queue, I've set the visibility timeout to 1 minute, and receive message wait time relatively low for the queue as well. I only have in the account one SQS and one SNS, so it's not like I can mess up subscribing or giving access to the wrong ones.

For my SQS access policy this is what it looks like:

{
 "Version": "2012-10-17",
 "Id": "allow_sns_access_policy",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "Service": "sns.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:<my_unique_id>:<name_of_my_queue>",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:sns:us-east-1:<my_unique_id>:<name_of_my_topic>"
        }
      }
    }
  ]
}

My SNS access policy is as follows:

{
  "Version": "2012-10-17",
  "Id": "allow_sqs_access_policy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sqs.amazonaws.com"
      },
      "Action": "sns:Subscribe",
      "Resource": "arn:aws:sqs:us-east-1:<my_unique_id>:<name_of_my_topic>",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:sns:us-east-1:<my_unique_id>:<name_of_my_queue>"
        }
      }
    }
  ]
}

I make sure to copy and paste arn resources to limit spelling mistakes. I've experimented with other things, but all of them also didn't work. This to me should work but doesn't.

amazon-web-services amazon-sqs amazon-sns aws-access-policy
Original Q&A
1

There are 1 answers

0
JackR On

I guess the policies can be finicky sometimes. I attempted to remove the policies, but that didn't work even though they're in the same region. So here is what I wound up setting for the two policies to get them to correctly communicate. Maybe someone has suggestions for how to make this better, but as of right now this is what works.

SNS policy:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "Service": "sqs.amazonaws.com"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:<region>:<topic_owner>:<topic>",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "<topic_owner>"
        }
      }
    },
    {
      "Sid": "s3-publish",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:<region>:<topic_owner>:<topic>",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "<topic_owner>"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:*:*:*"
        }
      }
    }
  ]
}

SQS Policy

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<topic_owner>:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:<region>:<topic_owner>:<queue_name>"
    },
    {
      "Sid": "topic-subscription-arn:aws:sns:<region>:<topic_owner>:<topic_name>",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:<region>:<topic_owner>:<queue_name>",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:sns:<region>:<topic_owner>:<topic_name>"
        }
      }
    }
  ]
}

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-SQS

Related Questions in AMAZON-SNS

Related Questions in AWS-ACCESS-POLICY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions