I'm trying to give SNS the permission to publish to an SQS queue but I keep getting error:
Invalid parameter: Policy Error: null (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: a5459d05-e37a-5906-92c2-c16c4813cca0; Proxy: null)
I am using the serverless framework, and have read multiple posts describing the same issue but none of the fixes seem to work, here is my current version:
MyTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'allowsSNSToSQS'
Version: '2012-10-17'
Statement:
Sid: AllowSNStoPublishToSQS
Effect: Allow
Principle: "*"
Action: 'sqs:SendMessage'
Resource:
Fn::GetAtt: [MyQueue , Arn ]
Condition:
ArnEquals:
aws:SourceArn: { "Ref" : "MyTopic" }
Topics:
- { "Ref" : "MyTopic" }
Does anyone have any ideas? thanks
Along with the typo I was also using the wrong policy type, I should've been using AWS::SQS::QueuePolicy as can be seen below:
MyTopicPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- {"Ref": "MyQueue"}
PolicyDocument:
Id: 'allowsSNSToSQS'
Version: '2012-10-17'
Statement:
Sid: AllowSNStoPublishToSQS
Effect: Allow
Principal:
Service: "sns.amazonaws.com"
Action: "sqs:SendMessage"
Resource:
Fn::GetAtt: [MyQueue , Arn ]
Condition:
ArnEquals:
aws:SourceArn: { "Ref" : "MyTopic" }
Related
creating SQS policy : its giving me error Resource handler returned message: "Invalid value for the parameter Policy. (Service: Sqs, Status Code: 400, Request ID: 5d7ffb34-bd69-5409-aec7-a1809c4f6aeb, Extended Request ID: null)" (RequestToken: 0f7979cf-6aae-a59b-e687-99ba47279537, HandlerErrorCode: GeneralServiceException)
Not sure what is wrong here , I have referred this Stackoverflow
SQSQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Version: '2008-10-17'
Id: '__default_policy_ID'
Statement:
- Sid: '__owner_statement'
Effect: Allow
Principal:
AWS: 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'SQS:*'
Resource: !GetAtt test12StandardQueue.Arn
- Sid: 'Allow-SNS-SendMessage'
Effect: Allow
Principal: '*'
Action: SQS:SendMessage
Resource: !GetAtt test12StandardQueue.Arn
Condition:
ArnLike:
aws:SourceArn: !Ref SNSTopicARN
Queues:
- !Ref test12StandardQueue
I have tried instead of Version: '2008-10-17' or '2012-10-17' but same error
Instead of
AWS: 'arn:aws:iam::${AWS::AccountId}:root'
it should be:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
I've written a CloudFormation template that creates an ElasticBeanstalk application. However, when I execute the template, I receive the following error: Access Denied (Service: AWSElasticBeanstalk; Status Code: 403; Error Code: InsufficientPrivilegesException; Request ID: 6c580af3-250d-4658-bc2f-8f6af4c1dd6d; Proxy: null).
What permission do I need to add?
The relevant portion of my CloudFormation script:
# The role used by CloudFormation to create the stack
CFNRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: ["sts:AssumeRole"]
Effect: Allow
Principal:
Service: [cloudformation.amazonaws.com]
Version: "2012-10-17"
Path: /
Policies:
- PolicyName: CloudFormationRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "ec2:*"
- "elasticbeanstalk:*"
- "iam:*"
- "lambda:*"
- "logs:*"
Effect: Allow
Resource: "*"
# more stuff here...
# Create the EB app without an Environment for now
EBApp1:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: my-api
It turns out I was missing the S3 permissions on the CFNRole. I modified the permissions to the following, and the stack could be deployed.
CFNRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: ["sts:AssumeRole"]
Effect: Allow
Principal:
Service: [cloudformation.amazonaws.com]
Version: "2012-10-17"
Path: /
Policies:
- PolicyName: CloudFormationRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "ec2:*"
- "elasticbeanstalk:*"
- "iam:*"
- "lambda:*"
- "logs:*"
- "s3:*" #### Added this line ####
Effect: Allow
Resource: "*"
I'm trying to create a state machine that can invoke another state machine. I tried to use following approach to get ARN. However this returns error Arn is not a valid property, which stack is being created.
ParentStateMachine:
Type: "AWS::StepFunctions::StateMachine"
Properties:
StateMachineName: !Sub "ParentStateMachine"
DefinitionString:
Fn::Sub:
- |-
{
"Comment": "...",
"StartAt": "State1",
"States": {
"State1": {
"Type": "Task",
"Resource": "arn:aws:states:::states:startExecution.sync",
"Parameters": {
"StateMachineArn": "${ChildStateMachineArn}",
"Input": {
"StatePayload": {
"datasetDate.$": "$.datasetDate"
},
"AWS_STEP_FUNCTIONS_STARTED_BY_EXECUTION_ID.$": "$$.Execution.Id"
}
},
"End": true
}
}
}
- {
ChildStateMachineArn:
Fn::GetAtt:
- ChildStateMachine
- Arn
}
RoleArn:
Fn::GetAtt:
- StatesExecutionRole
- Arn
I've also tried to generate ARN by using this string.
arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:ChildStateMachine
However, this gave error
Failed to call Step Functions for request: 'com.amazonaws.services.stepfunctions.model.CreateStateMachineRequest'. (Service: null; Status Code: 500; Error Code: null; Request ID: null)
I'm able to create other type of state machines using cloud formation. Only when I'm trying to create one that executes a child workflow is not working. When I go to cloud trail, the CreateStateMachineEvent has an error code of Access Denied. I've given Admin Access to the role. Did anyone face this issue and found a solution?
For States using the "Wait For callback" patterns (those ending in .sync or .waitForTaskToken) you need special policies, as mentioned here.
Specifically in your case, in addition to the Standard states:StartEecution policy you need to add event-related policies:
events:PutTargets
events:PutRule
events:DescribeRule
And policies dedicated to the Description and Stopping of the execution:
states:DescribeExecution
states:StopExecution
Details can be found here
For simplicity, most of the time I use the next policies:
- PolicyName: StatesStartExecutionPolicy
- PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "states:*"
Resource: "*"
- PolicyName: StatesAccessEventsPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "events:*"
Resource: "*"
I run into the same issue. I was able to fix after giving the "states:StartExecution" permission to ParentStateMachine.
Create an inline policy for your Parent StatMachine's StatesExecutionRole and add something like below with the ChildStateMachineName. It should fix the issue.
- PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- states:StartExecution
Resource: !GetAtt ChildStateMachine.Arn
If anyone is using AWS SAM, you can use an inline policy statement like this:
Policies:
- StepFunctionsExecutionPolicy:
StateMachineName: !GetAtt ChildStepFunction.Name
- Statement:
- Sid: StatesStartExecutionPolicy
Effect: Allow
Action:
- "states:*"
Resource: '*'
- Sid: StatesAccessEventsPolicy
Effect: Allow
Action:
- "events:*"
Resource: '*'
Can't figure out what I am doing wrong, if I comment out the SNSAddTopicPolicy, everything works fine, however once uncommented I get:
SNSAddTopicPolicy - Invalid parameter: Policy Error: null (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 26870c3b-4829-5080-bd88-59e9524c08e4).
I have tried every single combination but can't get it to work, any help?
BucketAddEventInterfaceSNSTopic:
Type: AWS::SNS::Topic
Properties:
TopicName: accounts-bucket-add-interface-dev
SNSAddTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'accounts-sns-add-policy-dev'
Version: 2012-10-17
Statement:
Sid: 'accounts-sns-add-statement-dev'
Effect: Allow
# this probably needs narrowed down
Principal:
AWS: '*'
Action: sns:Publish
Resource: { "Ref":"BucketAddEventInterfaceSNSTopic" }
Topics:
- { "Ref": "BucketAddEventInterfaceSNSTopic" }
It looks like you're mixing JSON and YAML syntax for the REF. Also, just to be safe you should put quotes around your version as shown below.
Your Policy should look more like this
SNSAddTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: 'accounts-sns-add-policy-dev'
Version: '2012-10-17'
Statement:
Sid: 'accounts-sns-add-statement-dev'
Effect: Allow
# this probably needs narrowed down
Principal:
AWS: '*'
Action: sns:Publish
Resource: !Ref BucketAddEventInterfaceSNSTopic
Topics:
- !Ref BucketAddEventInterfaceSNSTopic
Here is the error.
An error occurred: SNSTopicPolicy - Invalid parameter:
Policy Error: null (Service: AmazonSNS;
Status Code: 400; Error Code: InvalidParameter;
Request ID: 38a567df-2cff-50bf-8f0e-33a91775cc6e).
I cannot find a place to look into logs to tell me what parameter is missing.?.? I'm pretty sure I have everything that is required. I'm using this site and their api pages.
SNSTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: Aura main Topic
TopicName: ${file(./env.yml):${opt:stage, self:provider.stage}.env.auraSnsTopicName}
SNSTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: auraAllowSQSsendrobelrobel
Statement:
-
Effect: Allow
Action:
- sns: Publish
Resource: { "Fn::GetAtt":["SQSQueue" ,"Arn"]}
Principle:
AWS: "*"
Topics:
- { "Ref": "SNSTopic" }
SQSQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: ${file(./env.yml):${opt:stage, self:provider.stage}.env.eeegPagesQueueName}
RedrivePolicy:
deadLetterTargetArn: {"Fn::GetAtt" : [ "SQSQueueDLQ", "Arn" ]}
maxReceiveCount: 2
SQSQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Id: allowSNSSourceAndLambdaTrigger
Statement:
-
Effect: Allow
Action:
- SQS:ReceiveMessage
- SQS:SendMessage
- SQS:ChangeMessageVisibility
- SQS:ListDeadLetterSourceQueues
- SQS:GetQueueUrl
# - lambda:CreateEventSourceMapping
# - lambda:ListEventSourceMappings
# - lambda:ListFunction
Resource: {"Ref": "SNSTopic"}
Queues:
- { "Ref": "SQSQueue" }
I have an SQS Policy statement that is working just fine.
Your Environment Information ----------------------------
OS: Mac darwin
Node Version: 8.12.0
Serverless Version: 1.32.0
Turns out you need spelling is important and also the AWS sub object was not needed.
Principal: "*"
Working Policy below:
SNSTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement:
- Sid: auraAllowSQSPublish
Effect: Allow
Principal: "*"
Action: "sns:Publish"
Resource: { "Ref": "SNSTopic" }
Topics:
- { "Ref": "SNSTopic" }