Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I add permissions on an AWS SQS Queue?

With the following code, I can add a permission using my AWS account number but the queue does not receive any messages from SNS.

AddPermissionRequest addPermissionRequest = new AddPermissionRequest();
addPermissionRequest.ActionName.Add("SendMessage");
addPermissionRequest.ActionName.Add("ReceiveMessage");
addPermissionRequest.QueueUrl = queueUrl;
addPermissionRequest.Label = General.IpAddressAWSFriendly;
addPermissionRequest.AWSAccountId.Add(AWS_ACCOUNT_ID);
sqs.AddPermission(addPermissionRequest);

But, when I try to set the permission via a wildcard (*) for everybody:

addPermissionRequest.AWSAccountId.Add("*");

it gives me an error. If I manually add the permission in the AWS SQS console and specify

SendMessage
ReceiveMessage

for the allowed actions and for the principle, I set it to "everybody", the queue does receive messages from my SNS topic. So, obviously, I'm doing something wrong but I don't see it anymore.

Any help would be great! I wish Amazon would have examples, the example that comes with the SDK does not show anything about setting policies or permissions. Nothing is shown in the online documentation, either. Frustrating.

like image 891
Thomas Jaeger Avatar asked Oct 12 '13 00:10

Thomas Jaeger


People also ask

How do I grant access to SQS?

Attach a permission policy to a user in another AWS account – To grant user permissions to create an Amazon SQS queue, attach an Amazon SQS permissions policy to a user in another AWS account. Cross-account permissions don't apply to the following actions: AddPermission. CreateQueue.

How are messages Access in Amazon SQS?

AWS SQS helps in sending, storing, and receiving messages without the fear of losing them in the process. These messages can store up to 256 KB of data as text in formats such as JSON, XML, etc. All these messages can be retrieved by the applications with the use of AWS SQS API.

Can an SQS queue have multiple policies?

The aws documentation for SQS says multiple policies could be applied to a single queue; however the cloudformation QueuePolicy does not have explicit mention on whether this is allowed or not.


1 Answers

Fortunately, I figured it out myself since I received no responses here. I really wish Amazon would provide better documentation for C# developers on the .Net framework and not just for script kiddies.

Anyways, I ended up creating a full blown Policy object and passed that to the SQS. I used the AWS SDK v1.5 version and not the newer 2.0 (in beta right now) simply because it works for now and I was too lazy to change it to the newer 2.0 version.

Here is the bit of code you will need to programmatically create a policy in C# for an SQS Queue with a condition to only use that queue with an SNS topic:

        // 4. Set the queue policy to allow SNS to publish messages
        ActionIdentifier[] actions = new ActionIdentifier[2];
        actions[0] = SQSActionIdentifiers.SendMessage;
        actions[1] = SQSActionIdentifiers.ReceiveMessage;
        Policy sqsPolicy = new Policy()
            .WithStatements(new Statement(Statement.StatementEffect.Allow)
                                .WithPrincipals(Principal.AllUsers)
                                .WithResources(new Resource(queueArn))
                                .WithConditions(ConditionFactory.NewSourceArnCondition(_AWSSNSArn))
                                .WithActionIdentifiers(actions));
        SetQueueAttributesRequest setQueueAttributesRequest = new SetQueueAttributesRequest();
        List<Amazon.SQS.Model.Attribute> attributes = new List<Amazon.SQS.Model.Attribute>();
        Amazon.SQS.Model.Attribute attribute = new Amazon.SQS.Model.Attribute();
        attribute.Name = "Policy";
        attribute.Value = sqsPolicy.ToJson();
        attributes.Add(attribute);
        setQueueAttributesRequest.QueueUrl = queueUrl;
        setQueueAttributesRequest.Attribute = attributes;
        sqs.SetQueueAttributes(setQueueAttributesRequest);

I hope this helps someone.

like image 95
Thomas Jaeger Avatar answered Sep 29 '22 09:09

Thomas Jaeger