0

We've have our SNS topics in Singapore region and from there we want to publish to SQS queues in AWS china Nginxia region.

We tried to allow access to queues and topics via their respective policy. But giving principal as below is not allowed for china account it seems(we're not sure)

principal:{"AWS":"1111111"}

Is there any specific changes need to be done for china. Can anyone help with this?

Prashanna
  • 889
  • 1
  • 8
  • 13
  • The China region is not connected to the 'global' AWS, so it wouldn't be able to verify the 'global' credentials. I suspect that you'll need to create an IAM User in the China region and use those credentials when calling SNS. You can simply create the SNS client using those credentials, but use the normal 'global' credentials for everything else. – John Rotenstein Sep 05 '21 at 08:51
  • I understand that but my SNS is in global account and SQS is in China region will the sqs policy and sns policy not be sufficient to provide access for a cross account subscription? – Prashanna Sep 05 '21 at 12:06
  • 1
    The China regions are completely separate services. So, if an `aws` IAM entity is referenced in a `aws-cn` policy, it cannot verify the credentials. – John Rotenstein Sep 05 '21 at 21:46

1 Answers1

0

China AWS account is completely separated Region and not connected to other AWS regions, they are even managed by third-party cloud companies.

You would never be able to see AWS china regions included from regions list

https://www.amazonaws.cn/en/about-aws/china/faqs/

Q: Can I use my Amazon Web Services (China) Account to access other Amazon Web Services global regions?

Customers who wish to use the Amazon Web Services China Regions are required to sign up for a separate set of account credentials to access Amazon Web Services China services. Customers with existing Amazon Web Services, Inc. credentials will not be able to access resources in the Amazon Web Services China Regions, and vice versa. To sign up for a Global Account to access other Amazon Web Services global regions, please visit http://aws.amazon.com/

AWS PS
  • 4,420
  • 1
  • 9
  • 22
  • My question was not about unable to see china region. I know it is entirely in seperate account but even if I specify the china account id in principal it is not accepting it. So instead of AWS: AccountID is there something like AWS-CN: AccountID we need to provide? – Prashanna Sep 05 '21 at 12:08
  • still the answer is no, I updated my answer – AWS PS Sep 05 '21 at 12:30