By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

aws:PrincipalAccount condition not supported?

0

I am trying to use the Queue Policy below to send messages from any principal in accountID2 to the queue queuename in accountID1

However, when I deploy that using CloudFormation, I get the error below which doesn't make sense since aws:PrincipalAccount is on the list at the provided link.

Is aws:PrincipalAccount not supported in this context? Is it something that's used at all? Given the few number of google search results for "aws:PrincipalAccount" I'm wondering.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "CrossAccountSending",
    "Effect": "Allow",
    "Principal": {
      "AWS": "*"
    },
    "Action": "sqs:SendMessage",
    "Resource": "arn:aws:sqs:us-east-1:accountID1:queuename",
    "Condition": {
      "StringEquals": {
        "aws:PrincipalAccount": "accountID2"
      }
    }
  }]
}

Error:

Value aws:PrincipalAccount for parameter Condition is invalid. Reason: Conditions must be from Global context key list https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: d1faeb52-96fa-52d8-a614-bd379fe7f427)
Topics
ServerlessApplication Integration
Tags
Amazon Simple Queue Service
Language
English
zoellner
asked 4 years ago786 views
1 Answer
0

I think I just discovered the answer myself:
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-api-permissions-reference.html

Currently, Amazon SQS supports only a limited subset of the condition keys available in IAM

So the CloudFormation Error message would be incorrect in this case

zoellner
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content