Search code examples
amazon-web-servicesamazon-sqsamazon-snsdead-letter

AWS SNS Topic Sub: Dead-letter queue (redrive policy) permissions denied

I've got an SNS topic & subscription (actually more than 1) setup to use a SQS DLQ. However each one is telling me I have a policy error.

enter image description here

My SNS subscription has the DLQ set:

enter image description here

My queue exists:

enter image description here

And I have this access policy set on the SQS Queue:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::1234:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": [
            "arn:aws:sns:eu-west-2:1234:aggregator-state",
            "arn:aws:sns:eu-west-2:1234:rank-state-publication",
            "arn:aws:sns:eu-west-2:1234:rank-state-categorisation"
          ]
        }
      }
    }
  ]
}

I also tried having a really generic access policy on the queue:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:eu-west-2:1234:AggregateMonitoringDeadLetterQueue",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:sns:eu-west-2:1234:*"
        }
      }
    }
  ]
}

I was following this: https://docs.aws.amazon.com/sns/latest/dg/sns-configure-dead-letter-queue.html (Step 5 explains setting the policy)

Other ref: https://docs.aws.amazon.com/sns/latest/dg/sns-dead-letter-queues.html

I must be doing something wrong, or missing something? I can't get rid of the error.

Solution

  • See this answer which states that despite the error message, failed messages are correctly sent to the DLQ.

    From my side, I can confirm that I received those failed messages in my DLQ which is configured like yours (by following this same doc https://docs.aws.amazon.com/sns/latest/dg/sns-configure-dead-letter-queue.html).