Access denied to read SQS queue just created
I've been trying to get Amazon SQS working with the v3 JS client. I've gotten to the point where I can successfully create a queue using the frontend, but the issue starts when I try and send/receive on that queue.
The exception I'm seeing is:
Access to the resource https://sqs.<region>.amazonaws.com/ is denied.
Here is essentially what the code is:
this.sqs = new SQSClient({
region: <region>,
credentials: this.creds
});
const createQueue = new CreateQueueCommand({
QueueName: `myqueue.fifo`,
Attributes: {
FifoQueue: 'true',
ContentBasedDeduplication: 'true'
},
tags: this.amazonService.getResourceTags()
})
const queueUrlJson = await this.sqs.send(createQueue);
const receiveMessages = new ReceiveMessageCommand({
MaxNumberOfMessages: 10,
QueueUrl: queueUrlJson.QueueUrl,
VisibilityTimeout: 5,
WaitTimeSeconds: 5
});
const messages = await this.sqs.send(receiveMessages);
The createQueue command succeeds, but the receiveMessages command fails. The relevant IAM policy has a wildcard on sqs:* with restrictions related to aws:ResourceTags. I'm confused as to why one operation is allowed, which would mean the tags matched, while the other is denied.
1 answer
The following users marked this post as Works for me:
| User | Comment | Date |
|---|---|---|
| Darvids0n | (no comment) | Apr 21, 2022 at 06:31 |
OK, I found the issue. It was to do with the tags. It seems that you can't have a Condition based on ResourceTags for the ReceiveMessage and SendMessage operations - the ResourceTag selector may only apply to the message objects at that point.
I wonder if there is a way to do what I intended though, which is to only allow sending and receiving messages on queues with specific tag values.
1 comment thread
0 comment threads