- Newest
- Most votes
- Most comments
Hi, it is necessary know the account in order that the policy executes over the right resource, here there are documentation related with IAM and the SNS policies management https://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.iam.permissions.html
The idea when you use a policy is to make it the most granular possible, and for doing that the policy have to know exactly were the resources are, for that reason is the use of the ID account.
Additionally, if you have a case that you use more than 1 account (is very common), make a cross policy is possible also when you define the account ID.
I will share with you some tools that you could use to create policies: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy.html#examples https://awspolicygen.s3.amazonaws.com/policygen.html
Gool, thanks :) Now I see how it fits together.
I solved it with the policy below, using the topic Arn rather than the account ID:
let response;
let topicArn = getTopic('topic_name'); // my own function, returns topic Arn
let queue = getQueueUrlAndArn('queue_name'); // my own function, returns { Arn: 'xxxx', Url: 'yyyy' }
// give the topic permission to write to the queue
let policy = {
"Version": "2012-10-17",
"Id": "Write_Launch_Queue_Policy",
"Statement": {
"Sid":"Write_Launch_Queue_Statement",
"Effect": "Allow",
"Principal": { "Service": "sns.amazonaws.com" },
"Condition": { "ArnLike": { "aws:sourceArn": topicArn } },
"Action": "sqs:SendMessage",
"Resource": queue.Arn
}
};
response = await this.#sqsClient.send(new SetQueueAttributesCommand({ QueueUrl: queue.Url, Attributes: { Policy: JSON.stringify(policy) } }));
// now subscribe the queue to the topic
response = await this.#snsClient.send(new SubscribeCommand({ TopicArn: topicArn, Protocol: 'sqs', Endpoint: queue.Arn, ReturnSubscriptionArn: false}));
From what I can work out, this only gives the specified Topic permission to write to the specified Queue, nice and tight.
All the best,
David
Relevant content
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago