InvalidParameterValue cloud config_error ai_generated true

InvalidParameterValue: The redrive policy for queue 'my-queue' is invalid. Reason: The dead-letter queue ARN is not valid.

ID: cloud/aws-sqs-redrive-policy-invalid

Also available as: JSON · Markdown · 中文
88%Fix Rate
84%Confidence
1Evidence
2024-12-01First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
AWS SDK for Python (boto3): 1.34.0 active
SQS: 2012-11-05 active
Terraform AWS Provider: 5.70.0 active

Root Cause

The dead-letter queue ARN specified in the redrive policy does not exist, is in a different region, or the source queue does not have permission to send messages to it.

generic

中文

重驱策略中指定的死信队列 ARN 不存在、位于不同区域,或者源队列没有向其发送消息的权限。

Official Documentation

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html

Workarounds

  1. 95% success Verify the dead-letter queue ARN using AWS CLI: aws sqs get-queue-attributes --queue-url <DLQ_URL> --attribute-names QueueArn. Then update the redrive policy with the correct ARN. 
    Verify the dead-letter queue ARN using AWS CLI: aws sqs get-queue-attributes --queue-url <DLQ_URL> --attribute-names QueueArn. Then update the redrive policy with the correct ARN.
  2. 90% success Attach a resource-based policy to the dead-letter queue allowing the source queue to send messages: aws sqs set-queue-attributes --queue-url <DLQ_URL> --attributes Policy='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"sqs:SendMessage","Resource":"<DLQ_ARN>","Condition":{"ArnEquals":{"aws:SourceArn":"<SOURCE_ARN>"}}}]}' 
    Attach a resource-based policy to the dead-letter queue allowing the source queue to send messages: aws sqs set-queue-attributes --queue-url <DLQ_URL> --attributes Policy='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"sqs:SendMessage","Resource":"<DLQ_ARN>","Condition":{"ArnEquals":{"aws:SourceArn":"<SOURCE_ARN>"}}}]}'
  3. 85% success Ensure both queues are in the same AWS region; if not, create a new dead-letter queue in the same region as the source queue. 
    Ensure both queues are in the same AWS region; if not, create a new dead-letter queue in the same region as the source queue.

中文步骤

  1. 使用 AWS CLI 验证死信队列 ARN:aws sqs get-queue-attributes --queue-url <DLQ_URL> --attribute-names QueueArn。然后使用正确的 ARN 更新重驱策略。
  2. 向死信队列附加基于资源的策略,允许源队列发送消息:aws sqs set-queue-attributes --queue-url <DLQ_URL> --attributes Policy='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"sqs:SendMessage","Resource":"<DLQ_ARN>","Condition":{"ArnEquals":{"aws:SourceArn":"<SOURCE_ARN>"}}}]}'
  3. 确保两个队列位于同一 AWS 区域;如果不在,则在源队列所在区域创建新的死信队列。

Dead Ends

Common approaches that don't work:

  1. 80% fail

    Recreating queues does not fix the ARN mismatch or permission issue; the new queues have different ARNs unless explicitly specified.

  2. 90% fail

    This only delays the problem; messages still get stuck in the source queue if processing fails repeatedly, and the redrive policy remains invalid.

  3. 95% fail

    The redrive policy requires an ARN, not a URL; using a URL causes the same invalid parameter error.