3

I am running EC2 instance in account A & have SQS queues in account A & B. My application is running on EC2 instance of account A. Message listener is getting the queueUrl & polling the messages from queues which can be in account A or B. Here is the code sample to get the queueUrl which works fine if we get the queueUrl of account A but fails if we supply account B sqs queue as input parameter:

public String getQueueUrl(String queueOwnerAccountId, String region, String queueName) throws AwsException {
      try {
        AmazonSQS sqs = AmazonSQSClientBuilder.standard().withRegion(Regions.fromName(region)).build();
        GetQueueUrlRequest getQueueUrlRequest = new GetQueueUrlRequest(queueName).withQueueOwnerAWSAccountId(queueOwnerAccountId);
        GetQueueUrlResult result = sqs.getQueueUrl(getQueueUrlRequest);
        return result.getQueueUrl();
      } catch (QueueDoesNotExistException e) {
        throwAwsException("With accountId:"+queueOwnerAccountId+" ,Queue: "+queueName+" does not exists in region: "+region);
      } catch (AmazonClientException e) {
         throwAwsException("Invalid destination address:"+e.getMessage());
      }
      return null;

}

I have added policy(Policy have ARN for queues of both the account) to IAM roles in account A for both the account's queue. Please let me know if i am missing any settings. Thanks.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
RCS
  • 1,370
  • 11
  • 27
  • 1
    Have you added an Amazon SQS Policy on the SQS Queue in Account B? See: [Basic Examples of Amazon SQS Policies - Amazon Simple Queue Service](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html) By default, Account A cannot grant permissions to Account B (otherwise you could take over other people's accounts!). However, Amazon SQS has the ability to add a policy to a specific queue that permits access from another Account (much like an Amazon S3 bucket policy). – John Rotenstein Mar 20 '20 at 11:38

1 Answers1

2

I have created policy in account A for SQS & added ARN resource(For queue in Account B) arn:aws:sqs:Region:AccountID_B:QueueName Then attached that policy to a role & the same role attached to EC2 instance of account A. Right click on the Queue in account B then click on add permission. Popup will appear to provide principle & action. Principle is aws accountId who can access this queue(Here we can specify the Account A accountId) & action is the set of permission(API label access which is required) for that queue.

RCS
  • 1,370
  • 11
  • 27