Allow AWS SQS queue access across regions

Question

I have an AWS SQS queue with a permissions policy that looks like this:

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:123123123:default_staging/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "Sid123123123123",
      "Effect": "Allow",
      "Principal": {
        "AWS": "123123123123"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:123123123123123:default_staging"
    }
  ]
}

Unfortunately I can't add messages to the default_staging queue from an AWS server of mine in a different region.

I can add messages to default_staging from my other region if I set the permissions policy to be wide open.

How can I adjust my policy to allow the SQS:* action across all my regions?

Answer 1

Sharing SQS across regions is possible via correct IAM permissions and most importantly the SQS URL that you need to supply to your AWS SDK.

Here you can find more information about Queue and Message Identifiers.

Here's an example of a policy that could be applied to a queue to give an IAM user called SQSUser permissions on that queue:

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:123123123123:default_staging/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "Sid89345945989988",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123123123123:user/SQSUser"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:123123123123:default_staging"
    }
  ]
}

This is the significant part:

      "Principal": {
        "AWS": "arn:aws:iam::123123123123:user/SQSUser"
      },