Menu
Amazon Simple Notification Service
Developer Guide (API Version 2010-03-31)

Sending Amazon SNS Messages to Amazon SQS Queues

Amazon SNS works closely with Amazon Simple Queue Service (Amazon SQS). Both services provide different benefits for developers. Amazon SNS allows applications to send time-critical messages to multiple subscribers through a “push” mechanism, eliminating the need to periodically check or “poll” for updates. Amazon SQS is a message queue service used by distributed applications to exchange messages through a polling model, and can be used to decouple sending and receiving components—without requiring each component to be concurrently available. By using Amazon SNS and Amazon SQS together, messages can be delivered to applications that require immediate notification of an event, and also persisted in an Amazon SQS queue for other applications to process at a later time.

When you subscribe an Amazon SQS queue to an Amazon SNS topic, you can publish a message to the topic and Amazon SNS sends an Amazon SQS message to the subscribed queue. The Amazon SQS message contains the subject and message that were published to the topic along with metadata about the message in a JSON document. The Amazon SQS message will look similar to the following JSON document.

Copy
{ "Type" : "Notification", "MessageId" : "63a3f6b6-d533-4a47-aef9-fcf5cf758c76", "TopicArn" : "arn:aws:sns:us-west-2:123456789012:MyTopic", "Subject" : "Testing publish to subscribed queues", "Message" : "Hello world!", "Timestamp" : "2012-03-29T05:12:16.901Z", "SignatureVersion" : "1", "Signature" : "EXAMPLEnTrFPa37tnVO0FF9Iau3MGzjlJLRfySEoWz4uZHSj6ycK4ph71Zmdv0NtJ4dC/El9FOGp3VuvchpaTraNHWhhq/OsN1HVz20zxmF9b88R8GtqjfKB5woZZmz87HiM6CYDTo3l7LMwFT4VU7ELtyaBBafhPTg9O5CnKkg=", "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem", "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:MyTopic:c7fe3a54-ab0e-4ec2-88e0-db410a0f2bee" }

Note

Instead of following the steps listed below, you can now subscribe an Amazon SQS queue to an Amazon SNS topic using the Amazon SQS console, which simplifies the process. For more information, see Subscribe Queue to Amazon SNS Topic

To enable an Amazon SNS topic to send messages to an Amazon SQS queue, follow these steps:

To learn about how to set up a topic to send messages to a queue that is in a different AWS account, see Sending Amazon SNS messages to an Amazon SQS queue in a different account.

To see an AWS CloudFormation template that creates a topic that sends messages to two queues, see Using an AWS CloudFormation Template to Create a Topic that Sends Messages to Amazon SQS Queues.

Step 1. Get the ARN of the queue and the topic.

When subscribing a queue to your topic, you'll need a copy of the ARN for the queue. Similarly, when giving permission for the topic to send messages to the queue, you'll need a copy of the ARN for the topic.

To get the queue ARN, you can use the Amazon SQS console or the GetQueueAttributes API action.

To get the queue ARN from the Amazon SQS console

  1. Sign in to the AWS Management Console and open the Amazon SQS console at https://console.aws.amazon.com/sqs/.

  2. Select the box for the queue whose ARN you want to get.

  3. From the Details tab, copy the ARN value so that you can use it to subscribe to the Amazon SNS topic.

To get the topic ARN, you can use the Amazon SNS console, the sns-get-topic-attributes command, or the GetQueueAttributes API action.

To get the topic ARN from the Amazon SNS console

  1. Sign in to the AWS Management Console and open the Amazon SNS console at https://console.aws.amazon.com/sns/v2/home.

  2. In the navigation pane, select the topic whose ARN you want to get.

  3. From the Topic Details pane, copy the Topic ARN value so that you can use it to give permission for the Amazon SNS topic to send messages to the queue.

Step 2. Give permission to the Amazon SNS topic to send messages to the Amazon SQS queue

For an Amazon SNS topic to be able to send messages to a queue, you must set a policy on the queue that allows the Amazon SNS topic to perform the sqs:SendMessage action.

Before you subscribe a queue to a topic, you need a topic and a queue. If you haven't already created a topic or queue, create them now. For more information, see Creating a Topic, and see Creating a Queue in the Amazon Simple Queue Service Developer Guide.

To set a policy on a queue, you can use the Amazon SQS console or the SetQueueAttributes API action. Before you start, make sure you have the ARN for the topic that you want to allow to send messages to the queue.

To set a SendMessage policy on a queue using the Amazon SQS console

  1. Sign in to the AWS Management Console and open the Amazon SQS console at https://console.aws.amazon.com/sqs/.

  2. Select the box for the queue whose policy you want to set, click the Permissions tab, and then click Add a Permission.

  3. In the Add a Permission dialog box, select Allow for Effect, select Everybody (*) for Principal, and then select SendMessage from the Actions drop-down.

  4. Add a condition that allows the action for the topic. Click Add Conditions (optional), select ArnEquals for Condition, select aws:SourceArn for Key, and paste in the topic ARN for Value. Click Add Condition. The new condition should appear at the bottom of the box (you may have to scroll down to see this).

  5. Click Add Permission.

If you wanted to create the policy document yourself, you would create a policy like the following. The policy allows MyTopic to send messages to MyQueue.

Copy
{ "Version":"2012-10-17", "Statement":[ { "Sid":"MySQSPolicy001", "Effect":"Allow", "Principal":"*", "Action":"sqs:SendMessage", "Resource":"arn:aws:sqs:us-east-1:123456789012:MyQueue", "Condition":{ "ArnEquals":{ "aws:SourceArn":"arn:aws:sns:us-east-1:123456789012:MyTopic" } } } ] }

Step 3. Subscribe the queue to the Amazon SNS topic

To send messages to a queue through a topic, you must subscribe the queue to the Amazon SNS topic. You specify the queue by its ARN. To subscribe to a topic, you can use the Amazon SNS console, the sns-subscribe command, or the Subscribe API action. Before you start, make sure you have the ARN for the queue that you want to subscribe.

To subscribe a queue to a topic using the Amazon SNS console

  1. Sign in to the AWS Management Console and open the Amazon SNS console at https://console.aws.amazon.com/sns/v2/home.

  2. In the navigation pane, select the topic.

  3. Click Create Subscription, select Amazon SQS for Protocol, paste in the ARN for the queue that you want the topic to send messages to for Endpoint, and click Subscribe.

  4. For the Subscription request received! message, click Close.

    When the subscription is confirmed, your new subscription's Subscription ID displays its subscription ID. If the owner of the queue creates the subscription, the subscription is automatically confirmed and the subscription should be active almost immediately.

    Usually, you'll be subscribing your own queue to your own topic in your own account. However, you can also subscribe a queue from a different account to your topic. If the user who creates the subscription is not the owner of the queue (for example, if a user from account A subscribes a queue from account B to a topic in account A), the subscription must be confirmed. For more information about subscribing a queue from a different account and confirming the subscription, see Sending Amazon SNS messages to an Amazon SQS queue in a different account.

Step 4. Give users permissions to the appropriate topic and queue actions

You should use AWS Identity and Access Management (IAM) to allow only appropriate users to publish to the Amazon SNS topic and to read/delete messages from the Amazon SQS queue. For more information about controlling actions on topics and queues for IAM users, see Controlling User Access to Your AWS Account, and see Controlling User Access to Your AWS Account in the Amazon Simple Queue Service Developer Guide.

There are two ways to control access to a topic or queue:

  • Add a policy to an IAM user or group. The simplest way to give users permissions to topics or queues is to create a group and add the appropriate policy to the group and then add users to that group. It's much easier to add and remove users from a group than to keep track of which policies you set on individual users.

  • Add a policy to topic or queue. If you want to give permissions to a topic or queue to another AWS account, the only way you can do that is by adding a policy that has as its principal the AWS account you want to give permissions to.

You should use the first method for most cases (apply policies to groups and manage permissions for users by adding or removing the appropriate users to the groups). If you need to give permissions to a user in another account, you should use the second method.

Adding a policy to an IAM user or group

If you added the following policy to an IAM user or group, you would give that user or members of that group permission to perform the sns:Publish action on the topic MyTopic.

Copy
{ "Version":"2012-10-17", "Statement":[{ "Sid":"AllowPublishToMyTopic", "Effect":"Allow", "Action":"sns:Publish", "Resource":"arn:aws:sns:us-east-1:123456789012:MyTopic" } ] }

If you added the following policy to an IAM user or group, you would give that user or members of that group permission to perform the sqs:ReceiveMessage and sqs:DeleteMessage actions on the queues MyQueue1 and MyQueue2.

Copy
{ "Version":"2012-10-17", "Statement":[{ "Sid":"AllowReadDeleteMessageOnMyQueue", "Effect":"Allow", "Action":[ "sqs:ReceiveMessage", "sqs:DeleteMessage" ], "Resource":[ "arn:aws:sns:us-east-1:123456789012:MyQueue1", "arn:aws:sns:us-east-1:123456789012:MyQueue2" ], } ] }

Adding a policy to a topic or queue

The following example policies show how to give another account permissions to a topic and queue.

Note

When you give another AWS account access to a resource in your account, you are also giving IAM users who have admin-level access (wildcard access) permissions to that resource. All other IAM users in the other account are automatically denied access to your resource. If you want to give specific IAM users in that AWS account access to your resource, the account or an IAM user with admin-level access must delegate permissions for the resource to those IAM users. For more information about cross-account delegation, see Enabling Cross-Account Access in the Using IAM Guide.

If you added the following policy to a topic MyTopic in account 123456789012, you would give account 111122223333 permission to perform the sns:Publish action on that topic.

Copy
{ "Version":"2012-10-17", "Id":"MyTopicPolicy", "Statement":[{ "Sid":"Allow-publish-to-topic", "Effect":"Allow", "Principal":{ "AWS":"111122223333" }, "Action":"sns:Publish", "Resource":"arn:aws:sns:us-east-1:123456789012:MyTopic" } ] }

If you added the following policy to a queue MyQueue in account 123456789012, you would give account 111122223333 permission to perform the sqs:ReceiveMessage and sqs:DeleteMessage actions on that queue.

Copy
{ "Version":"2012-10-17", "Id":"MyQueuePolicy", "Statement":[ { "Sid":"Allow-Processing-Of-Messages-for-Queue", "Effect":"Allow", "Principal":{ "AWS":"111122223333" }, "Action":[ "sqs:DeleteMessage", "sqs:ReceiveMessage" ], "Resource":[ "arn:aws:sns:us-east-1:123456789012:MyQueue", ] } ] }

Step 5. Test it

You can test a topic's queue subscriptions by publishing to the topic and viewing the message that the topic sends to the queue.

To publish to a topic using the Amazon SNS console

  1. Using the credentials of the AWS account or IAM user with permission to publish to the topic, sign in to the AWS Management Console and open the Amazon SNS console at https://console.aws.amazon.com/sns/.

  2. In the navigation pane, select the topic and click Publish to Topic.

  3. In the Subject box, enter a subject (for example, Testing publish to queue) in the Message box, enter some text (for example, Hello world!), and click Publish Message. The following message appears: Your message has been successfully published.

To view the message from the topic using the Amazon SQS console

  1. Using the credentials of the AWS account or IAM user with permission to view messages in the queue, sign in to the AWS Management Console and open the Amazon SQS console at https://console.aws.amazon.com/sqs/.

  2. Check the box for the queue that is subscribed to the topic.

  3. From the Queue Action drop-down, select View/Delete Messages and click Start Polling for Messages. A message with a type of Notification appears.

  4. In the Body column, click More Details. The Message Details box contains a JSON document that contains the subject and message that you published to the topic. The message looks similar to the following JSON document.

    Copy
    { "Type" : "Notification", "MessageId" : "63a3f6b6-d533-4a47-aef9-fcf5cf758c76", "TopicArn" : "arn:aws:sns:us-west-2:123456789012:MyTopic", "Subject" : "Testing publish to subscribed queues", "Message" : "Hello world!", "Timestamp" : "2012-03-29T05:12:16.901Z", "SignatureVersion" : "1", "Signature" : "EXAMPLEnTrFPa37tnVO0FF9Iau3MGzjlJLRfySEoWz4uZHSj6ycK4ph71Zmdv0NtJ4dC/El9FOGp3VuvchpaTraNHWhhq/OsN1HVz20zxmF9b88R8GtqjfKB5woZZmz87HiM6CYDTo3l7LMwFT4VU7ELtyaBBafhPTg9O5CnKkg=", "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem", "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:MyTopic:c7fe3a54-ab0e-4ec2-88e0-db410a0f2bee" }
  5. Click Close. You have successfully published to a topic that sends notification messages to a queue.