1 Answer
- Newest
- Most votes
- Most comments
1
Hello.
According to the documentation, it works with the SQS queue name obtained with "!Ref".
Actually, I have created a queue using CloudFormation in the past, but it worked with the SQS queue name obtained with "!Ref".
I think it will work if you use "!GetAtt" to get the ARN of the SQS queue set in "Resource" of the queue policy.
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queuepolicy.html#cfn-sqs-queuepolicy-queues
Specifically, I thought it would work if I did the following:
QueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "Account used"
Effect: "Allow"
Principal:
AWS: "*"
Action:
- "SQS:*"
Resource: !GetAtt MySqsQueue.Arn
Relevant content
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Thanks. To clarify, we had multiple stacks with similar content for different environments that were already working, and I added a new stack that was similar to the others. So I know that having a static name in the
Queues
field can work, and so can a!Ref
. It was only when switching from one format to the other that the policy broke.In my experiments, I also found that the
Resource
could be a static ARN likearn:aws:sqs:region:accountId:queue-name
or a!GetAtt
– either would work. The weird thing I found with this field was that changing it from an array to a single-item object or back could revive a policy that was broken by the issue I described with theQueues
field.