Subscribe a sqs queue to a sns topic that is in a different account, using aws cdk(typescript)

Asked 27/1, 2020 at 10:3 Answered 24/1, 2022 at 10:4

Solved typescript amazon-web-services amazon-sqs amazon-sns aws-cdk

I would like to connect an sqs queue to an sns topic that is in a different account, using cdk (typescript). Below is the code (this code is in a stack) that I think should work but I have some doubts listed below the code (I have not deployed this yet, still trying to learn how to do this first).

    const topic = Topic.fromTopicArn(
      this,
      `${stackName}-topic`,
      `arn:aws:sns:${region}:${accountno}:SubscriptionChanges`
    );

    topic.addSubscription(
      new SqsSubscription(queue, {
        filterPolicy: {
          type: SubscriptionFilter.stringFilter({
            whitelist: [
              'filter1',
            ],
          })
        },
      })
    );
  }

I use fromTopicArn to initiate the topic construct. Am I allowed to do this if I am not the owner of the topic (the topic is defined in a different account so I am trying to do this cross account)?
Is there a way to create a sqs subscription without creating the topic variable on the first line above?

I have read the documentation, and, there is example code for this, but it only shows how to do this within the same account. Anyone with any experience of this?

Aegaeon answered 27/1, 2020 at 10:3 Comment(2)

I don't know CDK but the way you access resources from another AWS account is by using STS. You can create a role in the account you want to access and assume that role from the account you are using to access it. docs.aws.amazon.com/IAM/latest/UserGuide/… – Emden 27/1, 2020 at 10:13

yes, that's absolutely a way to, in general, deploy something through aws. this question is a bit more specific, and related to doing it through cdk, so that documentation doesn't help a bunch, but thanks anyway! – Aegaeon 27/1, 2020 at 11:12

So after some research I have some answers.

You are allowed to create a topic construct even if you don't own the topic, and you can connect a queue to it, but you (or more specifically, your account number) have to be granted access by the topic owner.

const queue = make_my_queue();
const topic = sns.Topic.fromTopicArn(
  this, // assuming `this` is your Deployment Stack object.
  "myTopicId",
  "arn:aws:sns:eu-west-1:123123123123:MyFriendsGreatSnsTopic");

topic.addSubscription(new snsSubs.SqsSubscription(queue, {
   rawMessageDelivery: true // or false if you want
}));

Aegaeon answered 30/1, 2020 at 9:38 Comment(1)

Hi @Bashar Mengana, can you provide more detail on what you did? How is access granted? Can the SQS user use ".addSubscription(topic)" in their code? Do they need to wait until after access is granted to do this? – Hoecake 26/6, 2020 at 22:29

use below to provide topic owner for across account Access

        topic.addToResourcePolicy(new PolicyStatement({
            sid: "Allow Access to subscribe",
            effect: Effect.ALLOW,
            principals: [new AccountPrincipal(<***>)],
            actions: [
                "SNS:Subscribe"
            ],
            resources: [
                topic.topicArn
            ]
        }))

Xi answered 24/1, 2022 at 10:4 Comment(0)

Recommended topics

Hot tags