Search code examples
amazon-web-servicesaws-cloudformationamazon-sqs

SQS API: sqs:CreateQueue Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied on `amplify push` using Cloudformation

I'm implementing SQS fifo queue. I have to implement i using cloudformation template.

When I do amplify push, I get

Error API: sqs:CreateQueue Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied

I've added SQS policy followed from aws docs . Except for accountID, I'm using service in the "Principal" as "sqs.amazonaws.com".

My cloudformation looks like:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "SQS fifo queue",
  "Parameters": {
    "env": {
      "Type": "String"
    }
  },
  "Resources": {
    "QueueExecutionRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": {
          "Fn::Join": [
            "",
            [
              "queue-exec-role-",
              {
                "Ref": "env"
              }
            ]
          ]
        },
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "sqs.amazonaws.com"
              },
              "Action": ["sts:AssumeRole"]
            }
          ]
        }
      }
    },
    "SQSPolicy": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "Queues": [{ "Ref": "groupingQueue" }],
        "PolicyDocument": {
          "Statement": [
            {
              "Action": ["SQS:SendMessage", "SQS:ReceiveMessage"],
              "Effect": "Allow",
              "Resource": {
                "Fn::GetAtt": ["groupingQueue", "Arn"]
              },
              "Principal": {
                "Service": "sqs.amazonaws.com"
              }
            }
          ]
        }
      }
    },
    "groupingQueue": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "FifoQueue": "true",
        "QueueName": {
          "Fn::Join": [
            "",
            [
              "grouping-queue-",
              {
                "Ref": "env"
              },
              ".fifo"
            ]
          ]
        }
      }
    }
  },
  "Outputs": {
    "QueueURL": {
      "Description": "URL of new Amazon SQS Queue",
      "Value": { "Ref": "groupingQueue" }
    },
    "QueueARN": {
      "Description": "ARN of new Amazon SQS Queue",
      "Value": { "Fn::GetAtt": ["groupingQueue", "Arn"] }
    },
    "QueueName": {
      "Description": "Name new Amazon SQS Queue",
      "Value": { "Fn::GetAtt": ["groupingQueue", "QueueName"] }
    }
  }
}

I do not want to give AccountID in "Principal", That why used sqs service.

With this exact template, I get access denied on amplify push -y.

Solution

  • I was doing amplify push from server. When I pushed it from my local computer it worked.

    Turns out the aws profile I set in server did not have sqs:CreateQueue permissions while my local had the administrator access.

    So, I added administrator full access to my server user from console, did amplify push again and it worked smoothly.

    PS: you don't need to give administrator permission, you can just give sqs:CreateQueue permission. I did it because I was testing.