15

I would like to connect an sqs queue to an sns topic that is in a different account, using cdk (typescript). Below is the code (this code is in a stack) that I think should work but I have some doubts listed below the code (I have not deployed this yet, still trying to learn how to do this first).

    const topic = Topic.fromTopicArn(
      this,
      `${stackName}-topic`,
      `arn:aws:sns:${region}:${accountno}:SubscriptionChanges`
    );

    topic.addSubscription(
      new SqsSubscription(queue, {
        filterPolicy: {
          type: SubscriptionFilter.stringFilter({
            whitelist: [
              'filter1',
            ],
          })
        },
      })
    );
  }
  • I use fromTopicArn to initiate the topic construct. Am I allowed to do this if I am not the owner of the topic (the topic is defined in a different account so I am trying to do this cross account)?
  • Is there a way to create a sqs subscription without creating the topic variable on the first line above?

I have read the documentation, and, there is example code for this, but it only shows how to do this within the same account. Anyone with any experience of this?

Bashar Mengana
  • 281
  • 1
  • 2
  • 7
  • 1
    I don't know CDK but the way you access resources from another AWS account is by using STS. You can create a role in the account you want to access and assume that role from the account you are using to access it. https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html – Ninad Gaikwad Jan 27 '20 at 10:13
  • 1
    yes, that's absolutely a way to, in general, deploy something through aws. this question is a bit more specific, and related to doing it through cdk, so that documentation doesn't help a bunch, but thanks anyway! – Bashar Mengana Jan 27 '20 at 11:12

2 Answers2

13

So after some research I have some answers.

You are allowed to create a topic construct even if you don't own the topic, and you can connect a queue to it, but you (or more specifically, your account number) have to be granted access by the topic owner.

const queue = make_my_queue();
const topic = sns.Topic.fromTopicArn(
  this, // assuming `this` is your Deployment Stack object.
  "myTopicId",
  "arn:aws:sns:eu-west-1:123123123123:MyFriendsGreatSnsTopic");

topic.addSubscription(new snsSubs.SqsSubscription(queue), {
   rawMessageDelivery: true // or false if you want
});
Josh M.
  • 26,437
  • 24
  • 119
  • 200
Bashar Mengana
  • 281
  • 1
  • 2
  • 7
  • 1
    Hi @Bashar Mengana, can you provide more detail on what you did? How is access granted? Can the SQS user use ".addSubscription(topic)" in their code? Do they need to wait until after access is granted to do this? – fileyfood500 Jun 26 '20 at 22:29
2

use below to provide topic owner for across account Access

        topic.addToResourcePolicy(new PolicyStatement({
            sid: "Allow Access to subscribe",
            effect: Effect.ALLOW,
            principals: [new AccountPrincipal(<***>)],
            actions: [
                "SNS:Subscribe"
            ],
            resources: [
                topic.topicArn
            ]
        }))
Abhishek Agrawal
  • 21
  • 2