How do I create an SQS queue in Amazon Web Services to receive Live Events data from Canvas?

To receive data from Canvas you will need to set up and maintain a queue in Amazon Web Services. Additionally, you will need to grant the appropriate permissions for the queue to receive data.

After you set up a queue with the appropriate permissions, you can subscribe to events in Data Services and begin receiving data.

Notes:

  • FIFO queues are not currently supported.
  • When setting up an SQS queue you can enable long polling in a standard queue. Long Polling helps eliminate the number of empty responses and false empty responses. For more information about long polling, please see the Amazon SQS Long Polling documentation.

Open Amazon SQS Console

Open Amazon SQS Console

In the Amazon Web Services console, open the Simple Queue Service (SQS) console by typing the name in the Services field [1]. When Simple Queue Service displays in the list, click the name [2]. 

Create New Queue

Create New Queue

In the Amazon SQS console, click the Create queue button.

Select Standard Queue

Select Standard Queue

In the Type section, select the Standard option.

Note: FIFO Queues are not currently supported.

Enter Queue Name

Enter Queue Name

Enter a name for the queue. The name of the queue must begin with canvas-live-events.

Enter Configuration Details

Enter Configuration Details

Enter the Configuration details. You can enter your preferences for visibility timeout [1], delivery delay [2], receive message wait time [3], message retention period [4], and maximum message size [5].

Enter Access Policy Details

Enter Permission Details

Enter the details for your access policy.

In the Choose method section, select the Basic option [1].

In the Define who can send messages to the queue section, select the Only the specified AWS accounts, IAM users and roles option [2].

In the account ID field, enter the account number 636161780776 [3]. This account number is required for the queue to receive Live Events data.

You can also select who will receive messages in the Define who can receive messages from the queue section [4].

Save Queue

Save Queue

You can add additional details in Encryption settings [1], Dead-letter queue settings [2], and Tags settings [3]. All of these settings are optional.

To create your queue, click the Create queue button  [4].

View Queue Permission

View Queue Permission

In the queue details area, the permission will display in the Permissions tab.

To edit the permission, click the Edit icon [1]. To delete the permission, click the Delete icon [2].

Using SSE setting with your SQS (Optional)

Canvas Live Events service supports SSE enabled on SQS, in order for SSE to be used the following setup needs to be enabled on the customer SQS :

1. Create a CMK or custom key with this policy, which can be generated by following the steps for creating a CMK, and during step 4 (Define Key Usage Permissions), clicking “Add another AWS Account” and entering the Instructure account number 636161780776.

{
 "Id": "key-consolepolicy-3",
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "Enable IAM User Permissions",
 "Effect": "Allow",
 "Principal": {
 "AWS": "arn of the customer account root"
 },
 "Action": "kms:*",
 "Resource": "*"
 },
 {
 "Sid": "Allow access for Key Administrators",
 "Effect": "Allow",
 "Principal": {
 "AWS": "arn of admin user"
 },
 "Action": [
 "kms:Create*",
 "kms:Describe*",
 "kms:Enable*",
 "kms:List*",
 "kms:Put*",
 "kms:Update*",
 "kms:Revoke*",
 "kms:Disable*",
 "kms:Get*",
 "kms:Delete*",
 "kms:TagResource",
 "kms:UntagResource",
 "kms:ScheduleKeyDeletion",
 "kms:CancelKeyDeletion"
 ],
 "Resource": "*"
 },
 {
 "Sid": "Allow use of the key",
 "Effect": "Allow",
 "Principal": {
 "AWS": [
 "arn of admin user",
 "arn:aws:iam::636161780776:root" // instructure account
 ]
 },
 "Action": [
 "kms:Encrypt",
 "kms:Decrypt",
 "kms:ReEncrypt*",
 "kms:GenerateDataKey*",
 "kms:DescribeKey"
 ],
 "Resource": "*"
 },
 {
 "Sid": "Allow attachment of persistent resources",
 "Effect": "Allow",
 "Principal": {
 "AWS": [
 "arn of admin user",
 "arn:aws:iam::636161780776:root" // instructure account
 ]
 },
 "Action": [
 "kms:CreateGrant",
 "kms:ListGrants",
 "kms:RevokeGrant"
 ],
 "Resource": "*",
 "Condition": {
 "Bool": {
 "kms:GrantIsForAWSResource": "true"
 }
 }
 }
 ]
}??????????????????????????????????????????????????????????????????????????????

2. Create an SQS queue, and enable SSE. Provide the ARN of the newly-created CMK.

3. Create a new IAM policy, that grants access to the queue and the key, the policy needs to look exactly like this:

{
 "Version": "2012-10-17",
 "Statement": [{
 "Effect": "Allow",
 "Action": [
 "kms:GenerateDataKey",
 "kms:Decrypt"
 ],
 "Resource": "CMK arn"
 }, {
 "Effect": "Allow",
 "Action": [
 "sqs:SendMessage",
 "sqs:SendMessageBatch"
 ],
 "Resource": "queue arn"
 }]???????????????????????????????????????????????????

4. Create a new IAM user and attach the above policy. Save the access key and secret key, and provide them to us as part of the subscription.