Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AMS Subscription Error (eu-west-1): Unable to validate destination SQS queue despite correct policy

0

Hi there, I am trying to subscribe an Amazon SQS queue located in the eu-west-1 (Ireland) region to the Amazon Marketing Stream (AMS) sp-traffic dataset using the Subscription API (POST https://advertising-api-eu.amazon.com/streams/subscriptions).

However, I consistently receive a 400 Bad Request error with the message: {"message":"Unable to validate destination: arn:aws:sqs:eu-west-1:<YOUR_ACCOUNT_ID>:ams-eu-sp-traffic-queue"} (Also tested with a new queue ...:ams-eu-sp-traffic-queue2 with the same result).

Details & Steps Taken:

  1. Goal: Receive sp-traffic events in an SQS queue in eu-west-1.
  2. API Call: Using Python requests library with LWA Bearer Token authentication.
  3. Authentication: Authentication seems successful (no 401/403 errors). Headers include Authorization, Amazon-Advertising-API-ClientId, Amazon-Advertising-API-Scope, Content-Type (vnd.MarketingStreamSubscriptions...), and Accept (vnd.MarketingStreamSubscriptions...).
  4. Region: Confirmed SQS queue is Standard type and located in eu-west-1. The API endpoint used is the EU one (advertising-api-eu.amazon.com).
  5. SQS Policy: Attached the following policy to the SQS queue (Resource ARN confirmed correct): 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:eu-west-1:<YOUR_ACCOUNT_ID>:ams-eu-sp-traffic-queue",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:sns:eu-west-1:119690846692:sp-traffic-eu"
        },
        "StringEquals": {
          "aws:SourceAccount": "119690846692"
        }
      }
    }
  ]
}
  6. Troubleshooting Tried:
    • Confirmed the Resource ARN in the policy matches the target SQS queue.
    • Confirmed the aws:SourceArn and aws:SourceAccount values match the details provided by Amazon for AMS in eu-west-1.
    • Tried removing the entire Condition block from the policy – the error persisted.
    • Tried using a different aws:SourceArn found in a GitHub example (arn:aws:sns:eu-west-1:668473351658:*) – the error persisted.
    • Created a completely new SQS queue (ams-eu-sp-traffic-queue2) in eu-west-1 with the correct policy – the error persisted.
    • Tried using AWS Signature v4 authentication (with IAM user keys) resulted in a 401 Unauthorized error, which seems unrelated to the destination validation issue (likely IAM permission issue for the calling user).

Question:

Despite the SQS policy appearing correct and aligned with AWS documentation examples (allowing sns.amazonaws.com with SourceArn and SourceAccount conditions), AMS consistently fails to validate the SQS destination in eu-west-1.

What could be causing this "Unable to validate destination" error? Are there any known issues, undocumented requirements (e.g., specific queue naming, tags, LWA scopes), potential SNS topic ARN changes, or further troubleshooting steps recommended for AMS SQS integration specifically in the eu-west-1 region?

Thank you in advance!

Topics
Application IntegrationServerlessSecurity, Identity, & Compliance
Tags
Amazon Simple Notification Service (SNS)IAM PoliciesAmazon Simple Queue Service
Language
English
asked a year ago241 views
1 Answer
0

The "Unable to validate destination" error you're encountering with Amazon Marketing Stream (AMS) and your SQS queue in eu-west-1 could be due to a few potential issues:

  1. Principal mismatch: Your current policy specifies "sns.amazonaws.com" as the Principal, but AMS might be using a different service to send messages. Try changing the Principal to "events.amazonaws.com" or "s3.amazonaws.com" instead.

  2. Action permissions: Ensure that the Action in your policy includes both "sqs:SendMessage" and "sqs:GetQueueAttributes". AMS might need both permissions to validate the queue.

  3. Resource ARN: Double-check that the Resource ARN in your policy exactly matches your SQS queue's ARN, including the correct account ID and queue name.

  4. Condition block: While you've tried removing the Condition block, it might be necessary with the correct values. Ensure the ArnLike or ArnEquals condition uses the correct source ARN for AMS in eu-west-1.

  5. Queue accessibility: Verify that your SQS queue is not set to private or has any other access restrictions that might prevent AMS from validating it.

  6. Policy format: Ensure your policy is in valid JSON format without any syntax errors.

To troubleshoot further:

  1. Try using the AWS CLI or SDK to test sending a message to your SQS queue using the same permissions as in your policy. This can help isolate if the issue is with the queue configuration or with AMS specifically.

  2. Check CloudTrail logs for any denied actions related to your SQS queue around the time you're making the AMS API call.

  3. Consider reaching out to AWS Support for specific guidance on AMS requirements for SQS integration in eu-west-1, as there might be undocumented specifics for this service.

Remember to make one change at a time and test after each modification to isolate the cause of the validation failure.
Sources
Unable to validate the following destination configuration | AWS re:Post
Unable to validate the following destination configuration | AWS re:Post
Resolve EventBridge notification failures in Amazon SQS | AWS re:Post

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content