stackoom
  简体   繁体   中英

Cloudformation SQS Policy for S3 events

 原文  2016-08-24 11:32:33       amazon-web-services/ amazon-s3/ amazon-sqs/ amazon-cloudformation

Question

I'm trying to create a policy for an SQS queue which would allow any S3 bucket to send events to the queue. I don't seem to be able to do this for a specific S3 queue because I end up with circular dependencies.

I've created a cloudformation template which will create the queue and policy, but when I try and manually setup the S3 bucket to send the events I get a message saying

Permissions on the destination queue do not allow S3 to publish notifications from this bucket

The template section that I'm using to create the policy is: 

    "SQSNotifcationFromS3" : {
        "Type" :        "AWS::SQS::QueuePolicy",
        "DependsOn" : "S3Notifications",
        "Properties" : {
            "PolicyDocument" : {
                "Version": "2012-10-17",
                "Id": "SQSIDsimon",
                "Statement": [
                    {
                        "Sid": "example-statement-ID",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "s3.amazonaws.com"
                            },
                        "Action": "SQS:*",
                        "Resource": { "Ref" : "S3Notifications"}
                    }
                ]                  
            },
            "Queues" :      [ { "Ref" : "S3Queue" } ]
        }
    }

2 answers

solution1
 6 ACCPTED  2016-09-21 13:52:03

In the end, I found a solution for this - I set the permissions on the SQS so that any S3 bucket could add events to the queue: 

    "S3EventQueuePolicy" : {
        "Type" : "AWS::SQS::QueuePolicy",
        "DependsOn" : [ "S3EventQueue" ],
        "Properties" : {
            "PolicyDocument" : {
                "Id": "SQSPolicy",
                "Statement": [
                    {
                        "Sid": "SQSEventPolicy",
                        "Effect": "Allow",
                        "Principal": "*",
                        "Action": "SQS:*",
                        "Resource": "*",
                        "Condition": {
                            "ArnLike": {
                                "aws:SourceArn": "arn:aws:s3:::*"
                            }
                        }
                    }
                ]
            },
            "Queues" : [ { "Ref" : "S3EventQueue"} ]
        }            
    },

solution2
 0  2016-08-31 17:00:54

In the AWS console, did you confirm that the queue has successfully granted permissions to the s3 bucket? In SQS, select the queue and look at the permissions tab.

Looking at your template snippet above, I'm not sure what "S3Notifications" points to but I'll assume it's the S3 bucket. The SQS policy document "Resource" should be the ARN of the S3 bucket. The "Ref" function on an S3 bucket has a Reference Value of "Name". You need ARN I believe.

See: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html

and: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Unable to validate the following destination configurations in Cloudformation for S3 to SQS notifications with a configured SQS policy Need help on CloudFormation template and AWS lambda for pulling events from SQS to S3 via lambda How do I write the policy statement of an encrypted SQS for S3 events? Missing s3 events in AWS SQS CloudFormation - not able to create SQS Policy aws cloudformation s3 event notification to SQS not working Subscribe S3 events to SQS queue without exposing SQS to the world? What will the policy of aws sqs which is tigger by multiply s3 Bucket CloudFormation CloudTrail S3 Policy Error - Incorrect S3 bucket policy is detected for bucket Update IAM policy for S3 bucket using cloudformation
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM