(aws-sns): addSubscription() doesn't lead to working subscription
See original GitHub issueTo subscribe an SNS to an SQS, you can write something like
myTopic.addSubscription(new SqsSubscription(mySqs));
and then your messages will disappear.
Reproduction Steps
mySqs = new Queue(this, 'MyQ');
myTopic = new Topic(this, 'MyTopic');
myTopic.addSubscription(new SqsSubscription(mySqs));
What did you expect to happen?
Everything necessary to get the SNS publishing messages into the SQS should be handled. Or at least tell me what I need to do in addition to get it working.
What actually happened?
Messages disappeared into the void.
Environment
- **CDK CLI Version: ** 1.78.0
- **Framework Version: ** 1.78.0
- Node.js Version: v14.3.0
- OS : MacOS and CircleCI docker runners
- Language (Version): TypeScript (4.1.3)
Other
For it to actually work, you need
- a CMK used by the SNS (and maybe also the SQS, not sure)
- a policy on the CMK (details below)
- a policy on the SQS (details below)
I’m not sure the Right Way for cdk to do this. Ideally,
- calling
new SqsSubscription(mySqs)
would validate that the SQS has a policy that looks reasonable and has a CMK - calling
mySns.addSubscription()
would validate that the SNS involved has a CMK and that it has a reasonable policy
Working code snippet for The Next Person:
key = new kms.Key(this, 'Key);
key.addToResourcePolicy(
new PolicyStatement({
sid: 'Allow SNS to use this key',
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal('sns.amazonaws.com')],
actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
resources: ['*'],
}),
);
mySqs = new aws-sqs.Queue(this, 'MyQ', {
encryption: aws-sqs.QueueEncryption.KMS,
encryptionMasterKey: key,
});
mySqs.addToResourcePolicy(
new PolicyStatement({
sid: 'allow sqs actions',
effect: Effect.ALLOW,
principals: [new AccountRootPrincipal()],
actions: ['sqs:*'],
resources: ['*'],
}),
);
const allowSns = new PolicyStatement({
sid: 'allow publishing from the sns',
effect: Effect.ALLOW,
principals: [new ServicePrincipal('sns.amazonaws.com')],
actions: ['sqs:sendMessage'],
resources: ['*'],
});
allowSns.addCondition('ArnLike', {
// Annoyingly, you can't just ref the ARN. Chicken & egg.
// Or at least I don't know how to get around the issue without resorting to L1 stuff.
'aws:SourceArn': `arn:aws:sns:${props.env.region}:${props.env.account}:${mySnsName}`,
});
mySqs.addToResourcePolicy(allowSns);
myTopic = new aws-sns.Topic(this, 'MyTopic', {
topicName: mySnsName,
masterKey: key,
});
myTopic.addSubscription(new aws-sns-subscriptions.SqsSubscription(mySqs));
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:6
- Comments:9 (4 by maintainers)
Top Results From Across the Web
Troubleshoot Amazon SNS publishing and subscription issues
I can't publish or subscribe to an Amazon Simple Notification Service (Amazon SNS) topic. How do I troubleshoot the issue?
Read more >@aws-cdk/aws-sns-subscriptions | Yarn - Package Manager
This library provides constructs for adding subscriptions to an Amazon SNS topic. Subscriptions can be added by calling the .addSubscription(.
Read more >Subscribe a sqs queue to a sns topic that is in a different ...
I would like to connect an sqs queue to an sns topic that is in a different account, using cdk (typescript). Below is...
Read more >SNS — Boto3 Docs 1.26.34 documentation - Amazon AWS
The ARN of the topic for which you wish to confirm a subscription. Token (string) --. [REQUIRED] ... Amazon SNS does not use...
Read more >aws-cdk.aws-sns · PyPI
Various subscriptions can be added to the topic by calling the .addSubscription(...) method on the topic. It accepts a subscription object, ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@ayozemr you must use a CMK and not
sqs.QueueEncryption.KMS_MANAGED
for this. Otherwise you can’t grant the SNS permissions necessary to publish to your queue. And yes, that’s kind of the point of this bug. At the very least, IMHO, cdk should throw an error if you try to.addSubscription()
to an encrypted queue without having the CMK, etc set up.@ahammond thanks for the info, will modify code with that in mind
And yes, throwing and error would help a lot to know whats the problem. Because you end in a situation where events don’t reach SQS with no info why.
Thanks again