I am running EC2 instance in account A & have SQS queues in account A & B. My application is running on EC2 instance of account A. Message listener is getting the queueUrl & polling the messages from queues which can be in account A or B. Here is the code sample to get the queueUrl which works fine if we get the queueUrl of account A but fails if we supply account B sqs queue as input parameter:
public String getQueueUrl(String queueOwnerAccountId, String region, String queueName) throws AwsException {
try {
AmazonSQS sqs = AmazonSQSClientBuilder.standard().withRegion(Regions.fromName(region)).build();
GetQueueUrlRequest getQueueUrlRequest = new GetQueueUrlRequest(queueName).withQueueOwnerAWSAccountId(queueOwnerAccountId);
GetQueueUrlResult result = sqs.getQueueUrl(getQueueUrlRequest);
return result.getQueueUrl();
} catch (QueueDoesNotExistException e) {
throwAwsException("With accountId:"+queueOwnerAccountId+" ,Queue: "+queueName+" does not exists in region: "+region);
} catch (AmazonClientException e) {
throwAwsException("Invalid destination address:"+e.getMessage());
}
return null;
}
I have added policy(Policy have ARN for queues of both the account) to IAM roles in account A for both the account's queue. Please let me know if i am missing any settings. Thanks.
I have created policy in account A for SQS & added ARN resource(For queue in Account B) arn:aws:sqs:Region:AccountID_B:QueueName Then attached that policy to a role & the same role attached to EC2 instance of account A. Right click on the Queue in account B then click on add permission. Popup will appear to provide principle & action. Principle is aws accountId who can access this queue(Here we can specify the Account A accountId) & action is the set of permission(API label access which is required) for that queue.