CODEWITHSUNDEEP
symfonyamazon-web-servicesaws-sdkamazon-sqs
SupaCoco
SupaCoco

Reputation: 1665

Access denied to SQS via AWS SDK

I'm currently working on a website developed with Symfony2 and I need to send messages in an Amazon SQS. In order to do that I added to my composer.json: 

"aws/aws-sdk-php": "2.4.*"

Then when I try to create a queue or list queues I've got a 403 error saying:

Access to the resource https://sqs.us-west-2.amazonaws.com/ is denied.

EDIT: added the full error message

AWS Error Code: AccessDenied, Status Code: 403, AWS Request ID: 2fe34c11-7af8-5445-a768-070159a0953e, AWS Error Type: client, AWS Error Message: Access to the resource https://sqs.us-west-2.amazonaws.com/ is denied., User-Agent: aws-sdk-php2/2.4.11 Guzzle/3.7.4 curl/7.25.0 PHP/5.4.3

Here is a sample code of what I do:

$aws = Aws::factory(array(
  'key'    => 'my-key',
  'secret' => 'my-secret',
  'region' => 'us-west-2'
));

$sqs = $aws->get('sqs');

return new Response(var_dump($sqs->listQueues()));

What do I do wrong to get this error ?

Upvotes: 49

Views: 115128

Answers (3)

Kunal Rajput
Kunal Rajput

Reputation: 784

I had the same strange issue, I had everything set up including policies and permission, after a couple of hrs I found out I was getting 403 error because of wrong aws region was configured in my application it was supposed to be ap-south-1 by default it was us-east-1

Upvotes: 2

srgsanky
srgsanky

Reputation: 765

Make sure that both the following policies allow access to the SQS queue

  1. Resource (SQS) based policy: The SQS queue should allow your identity to use the queue. You define this using the queue policy (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-sqs-policy). The default queue policy will allow access only to the owner of the queue (owner of the queue is the identity that created the queue).
  2. Identity based policies: The policy for the identity that is accessing the queue should have permission to invoke operations on the queue.

Make sure that the access is not restricted by either one of them.

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html

Upvotes: 16

SupaCoco
SupaCoco

Reputation: 1665

After digging I discovered that the account I was using wasn't granted the access to SQS service.

To give a SQS access to an account you have to go to the amazon management console. Then click on IAM. Under this section click on Users and then you can manage permission for each account you created.

Upvotes: 80

Related Questions