Search code examples
amazon-sqsaws-cdk

aws-cdk: I cannot add access permission to existing SQS

I have a code where I need to grant send messages to an existing sqs queue.

I have this code in the aws-cdk. But this is not working. No access permission get added.

const sqsQ = sqs.Queue.fromQueueArn(this, "some-id", "arn:aws:sqs:us-east-2:SOME-ACCOUNT:QUEUE-NAME");
sqsQ.grantSendMessages(new iam.ServicePrincipal("events.amazonaws.com"));
Solution

  • I don't think it's possible to grant permissions to an existing resource in CDK. Anytime you import a resource into your stack using something like fromQueueArn you can think of this as a read-only reference to the resource.

    In other words, you can only update resources which are managed by your CDK code.

    You have basically 2 options here:

    1. Move the original SQS into your CDK managed stack. You can do this using CloudFormation resource import feature (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html)
    2. Modify SQS permissions outside CDK in the place where it was originally defined.