What permissions do I need to access a SQS queue?

amazon-web-services amazon-iam
11,809

First, I would double check my application configuration if it use the proper sqs name/region/account settings.

Here is an example what permissions you might need to give to your application to work with your SQS.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:DeleteMessage",
                "sqs:GetQueueUrl",
                "sqs:ListQueues",
                "sqs:ChangeMessageVisibility",
                "sqs:SendMessageBatch",
                "sqs:ReceiveMessage",
                "sqs:SendMessage",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:DeleteMessageBatch",
                "sqs:ChangeMessageVisibilityBatch",
                "sqs:SetQueueAttributes"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:sqs:your-region:account-id-number:your-sqs-name"
            ]
        }
    ]
}

This will give read/write access to your application, but not administration access.

The aws command you execute probably use your local aws configuration credentials and that's why it does not give any error.

I suspect the main reason here is that boto is trying to list the queue first, before it try use it at all.

More: Amazon SQS API Permissions: Actions and Resource Reference

Regards.

Share:
11,809

Related videos on Youtube

Jason Lee
Author by

Jason Lee

Updated on September 18, 2022

Comments

  • Jason Lee
    Jason Lee over 1 year

    I am trying to open a SQS queue but I got this error:

    2019-07-09 07:20:31,855 pid 3604 tid  800 ERROR    connection <?xml version="1.0
"?><ErrorResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"><Error><Typ
e>Sender</Type><Code>AWS.SimpleQueueService.NonExistentQueue</Code><Message>The
specified queue does not exist or you do not have access to it.</Message><Detail
/></Error><RequestId>fa3bf29c-d5ad-525a-aa55-a70297d241fa</RequestId></ErrorResp
onse>

    I have verified that the queue name is correct.

    Here is the permission I granted to the IAM role:

    enter image description here

    i.e.

                "sqs:ChangeMessageVisibility",
            "sqs:ReceiveMessage",
            "sqs:SendMessage",

    If I run the following

     aws sqs receive-message --queue-url https://sqs.us-west-2.amazonaws.com/12345678/my-queue

    It does not throw any exception.

    In my code, I use boto to connect to the SQS queue

    sqs_conn = boto.sqs.connect_to_region(self.region)
LOG.debug("Getting queue for %s" % queue_name)
return sqs_conn.get_queue(queue_name)

    Did I miss any permission to connect to the SQS queue?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Invoke an AWS lambda across regions
Unable to find .aws directory
How do I get AWS cross-account KMS keys to work?
clone AWS codecommit repo via HTTP
An error occurred: Policy document should not specify a principal
Attach policy to a IAM Role
Is it possible to get the canonical user id from AWS IAM users, from the .NET API?
What permission am I missing for AWS Glue and Development Endpoint?
Use terrform to update a KMS Key Policy
How can we fetch IAM users, their groups and policies?