I am trying to use the Queue Policy below to send messages from any principal in accountID2 to the queue queuename in accountID1
However, when I deploy that using CloudFormation, I get the error below which doesn't make sense since aws:PrincipalAccount is on the list at the provided link.
Is aws:PrincipalAccount not supported in this context? Is it something that's used at all? Given the few number of google search results for "aws:PrincipalAccount" I'm wondering.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "CrossAccountSending",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:accountID1:queuename",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "accountID2"
}
}
}]
}
Error:
Value aws:PrincipalAccount for parameter Condition is invalid. Reason: Conditions must be from Global context key list https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: d1faeb52-96fa-52d8-a614-bd379fe7f427)