18

Just like in the title. I try to integrate API Gateway method with a SQS using cloud formation. What I am missing is the correct URI for the SQS. If any of you already did that, what should the URI look like?

I came up with something like that, but have no idea where to put the SQS ARN

"arn:aws:apigateway:${AWS::Region}:sqs:action/SendMessage"

Here is the full configuration for the method:

PostMethod:
    Type: "AWS::ApiGateway::Method"
    Properties:
      ApiKeyRequired: "true"
      HttpMethod: "POST"
      ResourceId: !Ref "SomeResource"
      RestApiId: !Ref "SomeRestApi"
      Integration:
        IntegrationHttpMethod: "POST"
        IntegrationResponses:
        - StatusCode: 200
        Type: "AWS"
        Uri: "arn:aws:apigateway:${AWS::Region}:sqs:action/SendMessage"

And here is an example of URI if you integrate with a lambda function:

arn:aws:apigateway:us-west-2:lambda:path//2015-03-31/functions/arn:aws:lambda:us-west-2:123412341234:function:function_name/invocations
-
greg
  • 1,857
  • 2
  • 20
  • 32
  • For further reference, I also found this article very useful: https://dzone.com/articles/creating-aws-service-proxy-for-amazon-sqs – J0ANMM Dec 09 '18 at 16:47
  • 1
    as alternative for invocation here is the SQS's path uri: `arn:aws:apigateway:AWS_REGION:sqs:path/YOUR_AWS_ID/YOUR_SQS_QUEUE_NAME` – symbiotech Feb 13 '20 at 16:12

2 Answers2

16

To answer my own question. Here is how you integrate SQS as a Service Proxy in API Gateway:

PostMethod:
    Type: "AWS::ApiGateway::Method"
    Properties:
      AuthorizationType: "NONE"
      ApiKeyRequired: "true"
      HttpMethod: "POST"
      ResourceId: !Ref "SomeResource"
      RestApiId: !Ref "RestApi"
      MethodResponses:
      - StatusCode: 200
      Integration:
        Credentials: !GetAtt "RestApiRole.Arn"
        IntegrationHttpMethod: "POST"
        IntegrationResponses:
        - StatusCode: 200
        Type: "AWS"
        Uri: !Sub "arn:aws:apigateway:${AWS::Region}:sqs:action/SendMessage"
        RequestParameters:
          integration.request.querystring.QueueUrl: !Sub "'${SomeQueue}'"
          integration.request.querystring.MessageBody: "method.request.body"

I've finally found all answers to my questions in various documentation. RTFM I guess.

EDIT:

and here the code for RestApiRole:

RestApiRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Action:
          - "sts:AssumeRole"
          Principal:
            Service:
            - "apigateway.amazonaws.com"
          Effect: "Allow"
      Policies:
      - PolicyName: "InvokeLambda"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
          - Action:
            - "lambda:InvokeFunction"
            Resource: !GetAtt "LambdaFunction.Arn"
            Effect: "Allow"
greg
  • 1,857
  • 2
  • 20
  • 32
  • Thanks for this example, its the closest thing to what I want to do that I can find online. One question I have here is what RestApiRole looks like? In my cloud formation template, I'm creating the sqs queue to use. Is there a way I can create the role in the template so it has access to that resource? – fantapop May 15 '17 at 07:33
  • @fantapop i've edited my answer with RestApiRole. It is in the same template as api gateway and sqs. – greg May 15 '17 at 09:39
  • For the _RestApiRole_, if this is _only_ posting to SQS, the lambda Policy is unnecessary, right? – monkut May 31 '19 at 00:28
8

I'm pretty sure the SQS role and policy should look more like this (you seem to have pasted the lambda role instead):

SQSRole:
   Type: AWS::IAM::Role
   Properties:
    AssumeRolePolicyDocument:
     Version: '2012-10-17'
     Statement:
      - Effect: Allow
        Principal:
         Service:
          - apigateway.amazonaws.com
        Action: sts:AssumeRole
    Path: /
  SQSRolePolicy:
    Type: AWS::IAM::Policy
    DependsOn: [SQSRole]
    Description: IAM policy applied to the service role.
    Properties:
      PolicyName: send-messages-sqs
      PolicyDocument:
        Statement:
        - Action:
            - sqs:SendMessage
          Resource:
            - !Sub arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:QUEUE_NAME
          Effect: Allow
      Roles: [!Ref SQSRole]
joakim
  • 3,533
  • 2
  • 23
  • 28
  • Why is `Path: /` included in the role? – Munib Jun 24 '19 at 22:56
  • 1
    @Munib That’s just the path for the role, can be any path you want and is typically used for organisational reasons (keeping things tidy) https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names – joakim Jun 25 '19 at 08:56