IAM: Problems sythesizing a role that can read from an SQS queue
See original GitHub issueJava code:
Queue queue = new Queue(this, "source-import-queue",
QueueProps.builder()
.withQueueName("source-import")
.build());
Bucket bucket = new Bucket(this, "source-import-bucket",
BucketProps.builder()
.withBucketName("source-import")
.build());
bucket.onObjectCreated(queue);
bucket.addLifecycleRule(LifecycleRule.builder()
.withExpirationInDays(30)
.build());
PolicyStatement policyStatement = new PolicyStatement(PolicyStatementEffect.Allow);
policyStatement.addActions("ReceiveMessage", "DeleteMessage", "DeleteMessageBatch");
policyStatement.addResource(queue);
Role role = new Role(this, "source-import-queue-reader",
RoleProps.builder()
.withAssumedBy(new AccountPrincipal("12345"))
.withRoleName("source-import-queue-reader")
.build());
role.addToPolicy(policyStatement);
Expected Behavior: Create a role with a policy that allows reading from the queue.
Actual Behavior:
Exception in thread "main" software.amazon.jsii.JsiiException: While synthesizing hello-cdk/source-import-queue-reader/DefaultPolicy/Resource: Trying to resolve() a Construct at /policyDocument/Statement/0/Resource
While synthesizing hello-cdk/source-import-queue-reader/DefaultPolicy/Resource: Trying to resolve() a Construct at /policyDocument/Statement/0/Resource
--- resource created at ---
at new Policy (/private/tmp/jsii-kernel-aRMZR8/node_modules/@aws-cdk/aws-iam/lib/policy.js:22:26)
at Role.addToPolicy (/private/tmp/jsii-kernel-aRMZR8/node_modules/@aws-cdk/aws-iam/lib/role.js:39:34)
at _wrapSandboxCode (/private/var/folders/x4/0pn8hl6x4kz135bdrmgdlk7xmh2tn2/T/jsii-java-runtime6462445815484053124/jsii-runtime.js:1:84495)
Issue Analytics
- State:
- Created 5 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
IAM: Problems sythesizing a role that can read ... - GitHub
Java code: Queue queue = new Queue(this, "source-import-queue", ... IAM: Problems sythesizing a role that can read from an SQS queue #622.
Read more >What permissions do I need to access an Amazon SQS queue?
The specific permissions requirements differ depending on whether the SQS queue and IAM role are from the same account.
Read more >Send messages from a lambda in one account to an SQS in ...
Queue (" some queue_url").send_message(**kwargs))` from the lambda, I am wondering if permissions need to be explicitly added to the IAM role ...
Read more >Troubleshooting Cloud Functions - Google Cloud
This role is required for Cloud Pub/Sub, IAM, Cloud Storage and Firebase integrations. If you have changed the role for this service account,...
Read more >Identity and access management in Amazon SQS - 亚马逊云科技
... Amazon SQS, see Troubleshooting Amazon Simple Queue Service identity and access. ... You can temporarily assume an IAM role in the Amazon...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Seems unintuitive, since I can do
bucket.onObjectCreated(queue);
, but I guess I understand the distinction.Yeah, that is the way.
Another unfortunate case of a too broad type declaration?