A use case arrived recently, where we need to subscribe a SQS queue to a SNS topic running in another AWS account. On the surface this seems like something many people would need to do, and indeed I was able to find an pretty quickly. But the tutorial is all “click this in the SQS console, and do that in the SNS console”. We are strong believers in Infrastructure as Code and having someone do the subscription steps manually is not going to work, especially given that we’ll be repeating this process in many places. official tutorial So here’s what I learnt as I translate the tutorial steps into CloudFormation, and some gotchas I found. First, in the SNS account, you need to add a to give the SQS account permission to call on the relevant topic(s). SNS TopicPolicy sns:Subscribe Then, in the SQS account, you need to create: A to allow the above SNS topic to call against the relevant SQS queue(s). The big here is that, unlike , the SQS action is prefixed with SQS, not the usual ! This might be owing to the fact that SQS is the oldest service in AWS and predates the conventions we know. Nonetheless, it was a difficult problem to track down. SQS QueuePolicy SQS:SendMessage gotcha anywhere else in IAM land sqs Create the in the SQS account. When you create the subscription in the SQS account, you don’t need to explicitly confirm the subscription. If you create the SNS subscription in the SNS account, then a confirm subscription message is sent to the SQS queue first, which you would need to handle to confirm the subscription. SNS Subscription All in all, it was pretty straight forward once I figured out the magic incantation to make it work. Another behaviour difference that I didn’t anticipate was how the SNS Filter Policy affects the structure of the message I would receive in the SQS queue. If I publish the following message to the SNS topic. If Filter Policy is not set on the subscription then the SQS queue would receive a message like this: The SNS message attributes are included as part of the JSON message body. And not in the SQS message attributes. If Filter Policy is set on the SNS subscription, then the SQS queue would receive a message like this instead: And the SNS message attributes are forwarding on as SQS message attributes. Again, this behavioural difference seems pretty random. By filtering what messages I choose to receive I somehow receive messages in a completely different format… Anyhow, I hope you find this useful, and hopefully it saves you half an hour of head scratching! Like what you’re reading, why not check out my with Manning or ? video course hire me In the video course we will cover topics including: authentication & authorization with API Gateway & Cognito testing & running functions locally CI/CD log aggregation monitoring best practices distributed tracing with X-Ray tracking correlation IDs performance & cost optimization error handling config management canary deployment VPC security leading practices for Lambda, Kinesis, and API Gateway You can also get the face price with the code . Hurry though, this discount is only available while we’re in Manning’s Early Access Program (MEAP). 40% off ytcui

Subscribe SQS to a SNS topic in another AWS account with CloudFormation, and gotchas!

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

A simple Event-Sourcing Example Using Lambda and DynamoDB [Includes Snapshots]

The AI-Energy Nexus: How Energy Availability Will Define AI Competitive Advantage

Beyond the Server: Why Cloud Finance is Now the Science of Power Stranding

Active vs Passive Asset Discovery: What You Need to Know

An AI Crew for Automated Diagramming and Documentation

Oilfield IIoT Architecture - To Build or Not To Build - That is the Question

A simple Event-Sourcing Example Using Lambda and DynamoDB [Includes Snapshots]

The AI-Energy Nexus: How Energy Availability Will Define AI Competitive Advantage

Beyond the Server: Why Cloud Finance is Now the Science of Power Stranding

Active vs Passive Asset Discovery: What You Need to Know

An AI Crew for Automated Diagramming and Documentation

Oilfield IIoT Architecture - To Build or Not To Build - That is the Question

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps