Menu
This is quite strange when call list queues command using AWS-CLI with the attached policy not working unless I set value for Resource to arn:aws:sqs:*:*:*.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "arn:aws:sqs:*:45*****65:local-*"
}
]
}
I expect the below command should return all the Queues that start with local-* but I got AccessDenied.
aws sqs list-queues --queue-name-prefix local-*
But for the same Queue, I am able to get its attributes.
aws sqs get-queue-attributes --queue-url https://us-west-2.queue.amazonaws.com/0****5/local-myqueue --attribute-names All
Do I need to changes something in policy or is the behavior of list queue is different?
Thanks in Advance.
832
According to Actions, Resources, and Condition Keys for Amazon SQS - AWS Identity and Access Management, the SQS commands do not accept conditions. Therefore, the ListQueues() command either works completely (showing all matching queues) or does not return anything (due to Access Denied). The only way to limit which queues are returned is to use the queue-name-prefix.
The Resource attribute in the policy will determine upon which queue various commands can run, which is why you are able to get attributes for a queue matching local-*. If you tried to get the details of a queue named public-xxx, it would be denied. (But ListQueues operates on the service, not a particular queue.)
159
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
