stackoom
  简体   繁体   中英

AWS SNS Topic Sub: Dead-letter queue (redrive policy) permissions denied

 原文  2020-10-24 11:45:35       amazon-web-services/ amazon-sqs/ amazon-sns/ dead-letter

Question

I've got an SNS topic & subscription (actually more than 1) setup to use a SQS DLQ. However each one is telling me I have a policy error.

在此处输入图片说明

My SNS subscription has the DLQ set:

在此处输入图片说明

My queue exists:

在此处输入图片说明

And I have this access policy set on the SQS Queue:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::1234:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:sns:eu-west-2:1234:aggregator-state",
            "arn:aws:sns:eu-west-2:1234:rank-state-publication",
            "arn:aws:sns:eu-west-2:1234:rank-state-categorisation"
          ]
        }
      }
    }
  ]
}

I also tried having a really generic access policy on the queue:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:sns:eu-west-2:1234:*"
        }
      }
    }
  ]
}

I was following this: https://docs.aws.amazon.com/sns/latest/dg/sns-configure-dead-letter-queue.html (Step 5 explains setting the policy)

Other ref: https://docs.aws.amazon.com/sns/latest/dg/sns-dead-letter-queues.html

I must be doing something wrong, or missing something? I can't get rid of the error.

1 answers

solution1
 2 ACCPTED  2020-11-04 08:51:04

See this answer which states that despite the error message, failed messages are correctly sent to the DLQ.

From my side, I can confirm that I received those failed messages in my DLQ which is configured like yours (by following this same doc https://docs.aws.amazon.com/sns/latest/dg/sns-configure-dead-letter-queue.html ).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to add a redrive policy (dead-letter queue / DLQ) to a SNS subscription, with Ansible and AWS AWS SQS dead-letter queue redrive policy SNS redrive to Dead letter queue not working Lambda Dead Letter Queue with SNS permissions Does AWS SNS have Dead Letter Queue? Are all the messages in SQS batch sent to Dead Letter Queue after reaching the maximum redrive(Retry) policy number Amazon SQS - How to validate if a queue is a dead-letter queue? AWS SNS Topic Policy Cloudformation AWS SQS redrive policy, which end of the queue do messges go to AWS - What is the difference between setting a Dead Letter Queue on an SNS Subscription or on a Lambda function?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM