New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS SQS/SNS Wrong queue access policy (broken in last version (1.5.0)) #1335
Comments
@amimimor Sorry for tagging you directly, but probably you can implement a quick fix for it |
3 tasks
yaron2
pushed a commit
that referenced
this issue
Nov 26, 2021
* bugfix for sns topic deletion upon termination * removed upstream github workflow files * Update snssqs.go * dapr bot schedule * read and append queue attributes * unnecessary escaping in json tag * unexporting structs
@amimimor please comment here with /assign. |
sthussey
pushed a commit
to sthussey/components-contrib
that referenced
this issue
Dec 8, 2021
* bugfix for sns topic deletion upon termination * removed upstream github workflow files * Update snssqs.go * dapr bot schedule * read and append queue attributes * unnecessary escaping in json tag * unexporting structs Signed-off-by: Scott Hussey <sthussey@gmail.com>
@yaron2 we need to re-open this issue as I found and fixed another issue related to the fix ( |
amimimor
added a commit
to amimimor/components-contrib
that referenced
this issue
Dec 9, 2021
* bugfix for sns topic deletion upon termination * removed upstream github workflow files * Update snssqs.go * dapr bot schedule * read and append queue attributes * unnecessary escaping in json tag * unexporting structs Signed-off-by: Amit Mor <amit.mor@hotmail.com>
amimimor
added a commit
to amimimor/components-contrib
that referenced
this issue
Dec 10, 2021
* bugfix for sns topic deletion upon termination * removed upstream github workflow files * Update snssqs.go * dapr bot schedule * read and append queue attributes * unnecessary escaping in json tag * unexporting structs Signed-off-by: Amit Mor <amit.mor@hotmail.com>
amimimor
added a commit
to amimimor/components-contrib
that referenced
this issue
Dec 10, 2021
* bugfix for sns topic deletion upon termination * removed upstream github workflow files * Update snssqs.go * dapr bot schedule * read and append queue attributes * unnecessary escaping in json tag * unexporting structs Signed-off-by: Amit Mor <amit.mor@hotmail.com>
jigargandhi
pushed a commit
to jigargandhi/components-contrib
that referenced
this issue
Dec 12, 2021
* bugfix for sns topic deletion upon termination * removed upstream github workflow files * Update snssqs.go * dapr bot schedule * read and append queue attributes * unnecessary escaping in json tag * unexporting structs Signed-off-by: jigargandhi <jigarr.gandhi@gmail.com>
beiwei30
pushed a commit
to beiwei30/components-contrib
that referenced
this issue
Dec 14, 2021
* bugfix for sns topic deletion upon termination * removed upstream github workflow files * Update snssqs.go * dapr bot schedule * read and append queue attributes * unnecessary escaping in json tag * unexporting structs Signed-off-by: Ian Luo <ian.luo@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
When some service is subscribed to many topics it's queue should have an access policy than allows all subscribed topics to publish events to the queue.
Actual Behavior
Currently the generated queue access policy has a condition that only allows one of the topics to publish events to it.
Tested that it is not always the same topic (I assume the last subscribed topic rewrites policy and restricts access to itself only)
Generated access policy example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:region:XXXXXXXXX:your-service-name",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:sns:region:XXXXXXXXX:lasttopicname"
}
}
}
]
}
In the previous version of dapr 'Condition' is not specified at all.
Seems to be broken with this commit:
e9deaf3
restrictQueuePublishPolicyToOnlySNS() method should add new sources to condition but not override existing
Steps to Reproduce the Problem
Create a test app that subscribes to few (>1) topics. Run the app with AWS SQS/SNS component configured for pubsub.
Check that instead of allowing all subscribed topics to publish to created queue it only allows it to one of them
in generated queue access policy.
Release Note
RELEASE NOTE:
Fixed bug with SQS/SNS wrong queue access policy
The text was updated successfully, but these errors were encountered: