Sending Amazon SNS messages to an Amazon SQS queue in a different account
This document describes how to publish a notification to an Amazon SNS topic with one or more subscriptions to Amazon SQS queues in another account. You set up the topic and queues the same way you would if they were in the same account (see Fanout to Amazon SQS queues). The major difference is how you handle subscription confirmation, and that depends on how you subscribe the queue to the topic.
It is a best practice to follow the steps referenced in the Queue owner creates subscription section when possible, because confirmation is automatic when the queue owner creates the subscription.
Note
If the Amazon SQS queue has a high volume of messages, we recommend that the queue owner creates the subscription.
Topics
Queue owner creates subscription
The account that created the Amazon SQS queue is the queue owner. When the queue owner creates
a subscription, the subscription doesn't require confirmation. The queue begins to receive
notifications from the topic as soon as the Subscribe
action completes. To let
the queue owner subscribe to the topic owner's topic, the topic owner must give the queue
owner's account permission to call the Subscribe
action on the topic.
Step 1: To set the topic policy using the Amazon Web Services Management Console
Sign in to the Amazon SNS console
. -
On the navigation panel, choose Topics.
-
Select a topic and then choose Edit.
-
On the Edit
MyTopic
page, expand the Access policy section. -
Enter the following policy:
{ "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "111122223333" }, "Action": "sns:Subscribe", "Resource": "arn:aws-cn:sns:us-east-2:123456789012:MyTopic" } ] }
This policy gives account
111122223333
permission to callsns:Subscribe
onMyTopic
in account123456789012
.A user with the credentials for account
111122223333
can subscribe toMyTopic
. This permission allows the account ID to delegate permission to their IAM user/role. Only the root account or administrator users are allowed to callsns:Subscribe
. The IAM user/role must also havesns:subscribe
to allow their queue to subscribe. -
Choose Save changes.
A user with the credentials for account
111122223333
can subscribe to MyTopic.
Step 2: To add an Amazon SQS queue subscription to a topic in another Amazon Web Services account using the Amazon Web Services Management Console
Before you begin, make sure you have the ARNs for your topic and queue, and that you have given permission to the topic to send messages to the queue.
Sign in to the Amazon SQS console
. -
On the navigation panel, choose Queues.
-
From the list of queues, choose the queue to subscribe to the Amazon SNS topic.
-
Choose Subscribe to Amazon SNS topic.
-
From the Specify an Amazon SNS topic available for this queue menu, choose the Amazon SNS topic for your queue.
-
Choose Enter Amazon SNS topic ARN and then enter the topic's Amazon Resource Name (ARN).
-
Choose Save.
Note
-
To be able to communicate with the service, the queue must have permissions for Amazon SNS.
-
Because you are the owner of the queue, you don't have to confirm the subscription.
-
A user who does not own the queue creates a subscription
Any user who creates a subscription but isn't the owner of the queue must confirm the subscription.
When you use the Subscribe
action, Amazon SNS sends a subscription confirmation to
the queue. The subscription is displayed in the Amazon SNS console, with its subscription ID set to
Pending Confirmation.
To confirm the subscription, a user with permission to read messages from the queue must
retrieve the subscription confirmation URL, and the subscription owner must confirm the
subscription using the subscription confirmation URL. Until the subscription is confirmed, no
notifications published to the topic are sent to the queue. To confirm the subscription, you
can use the Amazon SQS console or the ReceiveMessage
action.
Note
Before you subscribe an endpoint to the topic, make sure that the queue can receive
messages from the topic by setting the sqs:SendMessage
permission for the
queue. For more information, see Step 2: Give permission to the Amazon SNS
topic to send messages to the Amazon SQS queue.
Step 1: To add an Amazon SQS queue subscription to a topic in another Amazon Web Services account using the Amazon Web Services Management Console
Before you begin, make sure you have the ARNs for your topic and queue, and that you have given permission to the topic to send messages to the queue.
Sign in to the Amazon SNS console
. -
On the navigation panel, choose Subscriptions.
-
On the Subscriptions page, choose Create subscription.
-
On the Create subscription page, in the Details section, do the following:
-
For Topic ARN, enter the ARN of the topic.
-
For Protocol, choose Amazon SQS.
-
For Endpoint, enter the ARN of the queue.
-
Choose Create subscription.
Note
-
To be able to communicate with the service, the queue must have permissions for Amazon SNS.
-
-
The following is an example policy statement that allows the Amazon SNS topic to send a message to the Amazon SQS queue.
{ "Sid": "Stmt1234", "Effect": "Allow", "Principal": "*", "Action": "sqs:SendMessage", "Resource": "arn:aws-cn:sqs:us-west-2:111111111111:QueueName", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws-cn:sns:us-west-2:555555555555:TopicName" } } }
Step 2: To confirm a subscription using the Amazon Web Services Management Console
-
Sign in to the Amazon SQS console
. -
Select the queue that has a pending subscription to the topic.
-
Choose Send and receive messages, and then choose Poll for messages.
A message with the subscription confirmation is received in the queue.
-
In the Body column, do the following:
-
Choose More Details.
-
In the Message Details dialog box, find and note the SubscribeURL value. This is your subscription link (example below). For additional details on API token validation, see
ConfirmSubscription
in the Amazon SNS API Reference.https://sns.us-west-2.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws-cn:sns:us-east-2:123456789012:MyTopic&Token=2336412f37fb...
-
Make a note of the subscription confirmation link. The URL must be passed from the queue owner to the subscription owner. The subscription owner must enter the URL into the Amazon SNS console
.
-
-
Log in as the subscription owner to the Amazon SNS console
The subscription owner performs the confirmation. -
Choose the relevant topic.
-
Choose the relevant subscription in the topic's subscription listings table. It is labeled as "Pending confirmation".
-
Choose Confirm subscription.
-
A modal appears prompting the subscription confirmation link. Paste the subscription confirmation link.
-
Select the Confirm subscription in the modal.
An XML response is displayed, for example:
<ConfirmSubscriptionResponse> <ConfirmSubscriptionResult> <SubscriptionArn>arn:aws-cn:sns:us-east-2:123456789012:MyTopic:1234a567-bc89-012d-3e45-6fg7h890123i</SubscriptionArn> </ConfirmSubscriptionResult> <ResponseMetadata> <RequestId>abcd1efg-23hi-jkl4-m5no-p67q8rstuvw9</RequestId> </ResponseMetadata> </ConfirmSubscriptionResponse>
The subscribed queue is ready to receive messages from the topic.
-
(Optional) If you view the topic subscription in the Amazon SNS console, you can see that the Pending Confirmation message has been replaced by the subscription ARN in the Subscription ID column.
How do I force a subscription to require authentication on unsubscribe requests?
The subscription owner must set the AuthenticateOnUnsubscribe
flag to true on
subscription-confirmation.
-
AuthenticateOnUnsubscribe
is automatically set to true when the queue owner creates the subscription. -
AuthenticateOnUnsubscribe
cannot be set to true when the subscription confirmation link is navigated to without authentication.