CODEWITHSUNDEEP
amazon-web-servicesamazon-sqs
KMLong
KMLong

Reputation: 8445

AWS-CLI - SQS List Queues

I have a policy for an IAM user that was created for sending and receiving messages from a specific SQS queue. When using the AWS CLI and issuing the list-queues command I get the error:

An error occurred (AccessDenied) when calling the ListQueues operation: Access to the resource https://queue.amazonaws.com/ is denied.

I have a custom policy on the IAM user to specify the permissions as shown below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1485992560000",
            "Effect": "Allow",
            "Action": [
                "sqs:ReceiveMessage",
                "sqs:SendMessage",
                "sqs:ListQueues"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:XXXX:TestQueue"
            ]
        }
    ]
}

With this policy in place, I have verified that I can send and receive messages from this queue using the AWS CLI. If I modify the permissions to the user and add a statement where the Action is sqs:ListQueues and the Resource is "*" the list-queues command using the AWS CLI returns the url for TestQueue in the response.

Am I wrong to think that list-queue should return only the queues the IAM user has been granted that action on?

Any guidance/advice welcomed! Thanks!

Upvotes: 0

Views: 2065

Answers (1)

Matt Houser
Matt Houser

Reputation: 36083

Commands such as sqs:ListQueues cannot be restricted on their resources. They must have a resource specification of *. This also means that you cannot limit the return values: they will always return all queues, even if the user cannot perform actions on them.

This is similar behaviour to other "listing" type methods, like ec2:DescribeInstances, etc.

Upvotes: 3

Related Questions