Menu
I am trying to add a policy to an existing iam user that can already perform crud on two s3 buckets here is the currently working policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "devcontrol",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:Put*",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::blahimages/*",
"arn:aws:s3:::blahvideos/*"
]
}
]
}
An example policy from the documents for sqs is this
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":"sqs:*",
"Resource":"arn:aws:sqs:*:123456789012:bob_queue*"
}
]
}
So I tried this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "devcontrol",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:Put*",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::blahimages/*",
"arn:aws:s3:::blahvideos/*"
]
},
{
"Effect":"Allow",
"Action":"sqs:*",
"Resource":"arn:aws:sqs:*:myarn"
}
]
}
I did not get any parse errors but the simulator was still returning denied for the sqs queue
Also really I just want this user to be able to add messages to the queue, receive them and delete them whereas the above policy would add all actions I believe
258
The default policy allows only the queue owner to send and receive messages. Open the Amazon SQS console at https://console.aws.amazon.com/sqs/ . In the navigation pane, choose Queues. Choose a queue and choose Edit.
Attach a permission policy to a user in another AWS account – To grant user permissions to create an Amazon SQS queue, attach an Amazon SQS permissions policy to a user in another AWS account. Cross-account permissions don't apply to the following actions: AddPermission. CreateQueue.
The aws documentation for SQS says multiple policies could be applied to a single queue; however the cloudformation QueuePolicy does not have explicit mention on whether this is allowed or not.
Amazon SQS (Simple Queue Service) is a fully managed service popular for its message queuing functionality. Developers often send and retrieve messages of various types and sizes asynchronously using this service. Amazon SQS empowers you to keep individual microservices and distributed systems separate from each other.
Your SQS ARN is invalid : "arn:aws:sqs:*:myarn".
You should use arn:aws:sqs:<region name>:<account id>:<queue name> instead. (you're missing the <account id>).
The region name might be replaced by a * if you want your policy to be valid in multiple regions. But the account id is mandatory as Queue names are unique within an AWS Master Account and Region only.
See http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html for example of valid SQS policies.
127
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
