stackoom
  简体   繁体   中英

Cross account SNS SQS subscription set up (CDK)

 原文  2022-06-29 17:50:48       amazon-web-services/ amazon-sqs/ amazon-sns

Question

I'm trying to set up a cross account subscription between a SQS queue (in account 11111111111) and a SNS topic (in account 22222222222). However, I've been having trouble having this done thru CDK. Any help would be appreciated.

The following is the CDK code to set up the subscription in SQS queue (the SQS queue setup is standard and omitted here),

// SNS topic in another account
const snsTopic = sns.Topic.fromTopicArn(
    this,
    'id',
    'arn:aws:sns:us-west-2:22222222222:id',
);

snsTopic.addSubscription(new SqsSubscription(sqsQueue));

Then I followed this AWS article to give SNS topic access policy to be subscribed by account 11111111111. The following is the topic's access policy,

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:Publish",
        "SNS:RemovePermission",
        "SNS:SetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:AddPermission",
        "SNS:Subscribe"
      ],
      "Resource": "arn:aws:sns:us-west-2:22222222222:id",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "22222222222"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sns:Subscribe",
      "Resource": "arn:aws:sns:us-west-2:22222222222:id",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "11111111111"
        }
      }
    }
  ]
}

As you can see here, this policy gives full access to the account owner (22222222222) and subscribe rights to another account (11111111111).

However, when I deploy my CDK changes, the cloudformation keeps throwing the following error indicating account 11111111111 doesn't have authorization to subscribe to the topic in 22222222222.

User: arn:aws:sts::11111111111:assumed-role/PipelinesChangeSetExec-19a3877f4882528dec93b2760e3771af2ccd62c
6/AWSCloudFormation is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:us-west-2:2222222
2222:id because no resource-based policy allows the SNS:Subscribe action (Service: AmazonSNS; Status Code:
 403; Error Code: AuthorizationError; Request ID: 45ea9a58-13ce-50b9-8b07-c16de46f3a53; Proxy: null)

I think I'm following the setup guide from AWS. Can anyone point out where I might be wrong? Thanks

1 answers

solution1
 0  2022-06-30 05:07:36

So I figured this out. Here is a helpful video that explains how to set up cross account subscription between SNS and SQS. I made a mistake in clarifying the access policy in the SNS topic. However, by following the video, I was able to deploy the SQS queue and have it subscribed to the SNS topic in another account.

Note: since I'm the owner of the SNS topic, I don't need to confirm the subscription on SQS side.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SNS cross account subscription with additional layer Subscribe a sqs queue to a sns topic that is in a different account, using aws cdk(typescript) SNS Topic- SQS Subscriptions with CDK How to add SQS message attributes in SNS subscription? AWS SQS subscription to AWS SNS topic AWS SNS SQS - Subscription filter policy Latency on publishing to SNS Topic/SQS Subscription? How to debug issues with Amazon SQS subscription to SNS AWS Cross Account SNS Publish Cross account, cross region SNS message processing
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM