Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-sns: addSubscription() doesn't add necessary policies for messages to be sent #29098

Open
Exter-dg opened this issue Feb 14, 2024 · 2 comments
Open

aws-sns: addSubscription() doesn't add necessary policies for messages to be sent #29098

Exter-dg opened this issue Feb 14, 2024 · 2 comments
Labels
@aws-cdk/aws-sns Related to Amazon Simple Notification Service bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@Exter-dg
Copy link

Exter-dg commented Feb 14, 2024
edited
Loading

Describe the bug

To subscribe an SNS to an SQS, you can write something like

myTopic.addSubscription(new SqsSubscription(mySqs));

and expect the messages to reach SQS. But this is not happening. On further debugging, I found that the sqs:SendMessage permission is not granted to the SNS.

Expected Behavior

SNS should be granted the required permissions to send messages to SQS.

Current Behavior

Necessary permissions are not added to SNS or SQS

Reproduction Steps

mySqs = Queue.fromQueueArn(this, 'MyQ');
myTopic = new Topic(this, 'MyTopic');
myTopic.addSubscription(new SqsSubscription(mySqs));

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.123.0

Framework Version

No response

Node.js Version

v16.20.2

OS

Linux/UNIX

Language

TypeScript

Language Version

No response

Other information

Similar to #12120
@Exter-dg Exter-dg added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 14, 2024
@github-actions github-actions bot added the @aws-cdk/aws-sns Related to Amazon Simple Notification Service label Feb 14, 2024
@Exter-dg
Copy link
Author

Exter-dg commented Feb 14, 2024
edited
Loading

The workaround would be to add this policy manually in the SQS queue. But my SQS queue is being created in other stack. When I add a addToResourcePolicy to my imported SQS queue, cdk diff shows no changes.

Is this expected? Can we not update policy of existing CDK resources? - This seems to convey the same..

@pahud
Copy link
Contributor

pahud commented Feb 14, 2024

I think manual grant would be expected because addSubscription requires ITopicSubscription which could be an existing resource from the same or different account and CDK could not be able to access that.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Feb 14, 2024
@github-actions github-actions bot mentioned this issue Mar 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-sns Related to Amazon Simple Notification Service bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @Exter-dg