What permissions do I need to access a SQS queue?
First, I would double check my application configuration if it use the proper sqs name/region/account settings.
Here is an example what permissions you might need to give to your application to work with your SQS.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ListQueues",
"sqs:ChangeMessageVisibility",
"sqs:SendMessageBatch",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListDeadLetterSourceQueues",
"sqs:DeleteMessageBatch",
"sqs:ChangeMessageVisibilityBatch",
"sqs:SetQueueAttributes"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sqs:your-region:account-id-number:your-sqs-name"
]
}
]
}
This will give read/write access to your application, but not administration access.
The aws command you execute probably use your local aws configuration credentials and that's why it does not give any error.
I suspect the main reason here is that boto is trying to list the queue first, before it try use it at all.
More: Amazon SQS API Permissions: Actions and Resource Reference
Regards.
Related videos on Youtube
Jason Lee
Updated on September 18, 2022Comments
-
Jason Lee over 1 year
I am trying to open a SQS queue but I got this error:
2019-07-09 07:20:31,855 pid 3604 tid 800 ERROR connection <?xml version="1.0 "?><ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"><Error><Typ e>Sender</Type><Code>AWS.SimpleQueueService.NonExistentQueue</Code><Message>The specified queue does not exist or you do not have access to it.</Message><Detail /></Error><RequestId>fa3bf29c-d5ad-525a-aa55-a70297d241fa</RequestId></ErrorResp onse>
I have verified that the queue name is correct.
Here is the permission I granted to the IAM role:
i.e.
"sqs:ChangeMessageVisibility", "sqs:ReceiveMessage", "sqs:SendMessage",
If I run the following
aws sqs receive-message --queue-url https://sqs.us-west-2.amazonaws.com/12345678/my-queue
It does not throw any exception.
In my code, I use boto to connect to the SQS queue
sqs_conn = boto.sqs.connect_to_region(self.region) LOG.debug("Getting queue for %s" % queue_name) return sqs_conn.get_queue(queue_name)
Did I miss any permission to connect to the SQS queue?