How do I troubleshoot the Amazon SQS error "Invalid value for the parameter policy"?
I want to troubleshoot the Amazon Simple Queue Service (Amazon SQS) error "Invalid value for the parameter policy".
Short description
I updated my Amazon SQS queue resource policy or properties and received one of these errors:
"InvalidAttributeValue: Invalid value for the parameter Policy"
-or-
"An error occurred (InvalidAttributeValue) when calling the SetQueueAttributes operation: Invalid value for the parameter Policy."
Resolution
Follow these steps for updates that you make to either the Amazon SQS queue resource policy or queue properties.
Amazon SQS queue resource policy updates
Confirm that the resource policy is valid
Check that the resource policy has all the required fields. For more information, see AWS Identity and Access Management (IAM) JSON policy elements reference and Validating IAM policies.
You can also use the AWS Policy Generator to create and test an SQS resource policy. Make sure that the policy is in JSON format.
Confirm that the Principal element value exists and is valid
Make sure that the Principal element exists in in the resource policy and that the value is valid. The Principle element can use any of these values:
| principal | element |
| AWS account and root user | "Principal": { "AWS": "arn:aws:iam::123456789012:root" } |
| IAM roles | "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:role/role-name" } |
| Role sessions | "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" } |
| IAM users | "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/user-name" } |
| Federated user sessions | "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:federated-user/user-name" |
| AWS services | "Principal": { "Service": "sns.amazonaws.com" } |
| All principals | "Principal" : { "AWS" : "*" } |
If your SQS resource policy Principal element includes an IAM entity, then make sure that the entity exists before you use the policy. Amazon SQS validates the resource policy and checks for the IAM entity. If the IAM entity doesn't exist, then you get an error. To confirm IAM entities, use the GetRole and GetUser APIs.
Note: Access policies can't use AccessKey IDs and instance profiles as the Principal element.
For more information, see AWS JSON policy elements: Principal.
Amazon SQS queue property updates
You can update SQS queue properties from the Amazon SQS console. The SQS properties update invokes the SetQueueAttributes API for the access policy that you're using. Before you make updates to SQS properties, check that the access policy is valid and that the IAM entities exist.
Related information
Thank you!
The Policy Generator in https://awspolicygen.s3.amazonaws.com/policygen.html (which I found through the official docs) kept generating a policy with:
...
"Principal": {
"AWS": [
"events.amazonaws.com"
]
}
...
i.e. "AWS" instead of "Service". This was rejected by the SQS policy field. Once I changed it to "Service" the policy was accepted.
Relevant content
- asked 2 years ago
- Accepted Answerasked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
