Reputation: 39059
How to write to a write-only SQS queue without an access key and secret key
I have a website that writes messages from the client side to an Amazon SQS Queue. Everybody is allowed to write to the queue. We have a server-side process that reads the queue messages and processes them.
The Queue is configured with write access to everybody, here is its policy:
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:.../SQSDefaultPolicy",
"Statement": [{
"Sid": "Sid1537097246229",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:..."
}]
}
However, we can't seem to be able to write to the queue without an access key and secret key. The AWS SDK returns an error saying that credentials have not been provided. We're using the code as described in the AWS SQS documentation.
Upvotes: 2
Views: 2429
Answers (2)
Reputation: 78870
I would not recommend allowing unauthenticated access to an SQS queue, but if you have to do this then you should be able to make unauthenticated requests through the JavaScript SDK as follows:
const AWS = require('aws-sdk');
AWS.config.update({ region: 'us-east-1' });
const sqs = new AWS.SQS({ apiVersion: '2012-11-05' });
const params = {
DelaySeconds: 10,
MessageAttributes: {
Title: {
DataType: 'String',
StringValue: 'The Whistler',
},
Author: {
DataType: 'String',
StringValue: 'John Grisham',
},
},
MessageBody: 'NY Times fiction bestseller 12/11/2016.',
QueueUrl: 'QUEUE_URL_HERE',
};
sqs.makeUnauthenticatedRequest('sendMessage', params, (err, data) => {
if (err) {
console.log('Error', err);
} else {
console.log('Success', data.MessageId);
}
});
Upvotes: 5
Reputation: 729
Your default policy with "Principal": "*" still requires that the sender provide some AWS principal. As stated in the Prerequisites of the document you provided:
Create a shared configurations file with your user credentials. For more information about providing a shared credentials file, see Loading Credentials in Node.js from the Shared Credentials File.
Have you considered using API Gateway as a proxy to your SQS queue? One example of doing so is defined at https://dzone.com/articles/creating-aws-service-proxy-for-amazon-sqs . I would recommend setting up a proxy to the SQS and having a POST endpoint such as
POST::/myQueueName/messages
That will change how your users interact with the queue, but it allows you to lock down the queue to only a service user for reading and writing, which follows the least-privilege policy. Then your API Gateway endpoint can be protected with an API key, left wide-open to the internet, or even protected with IAM roles, based on your preferences.
Upvotes: 3
Related Questions
- How to process data from AWS SQS?
- Allow any AWS resource from an account to publish to an SQS queue
- How can I freeze an SQS queue against any reads?
- Possible to send request directly to Amazon SQS from http (javascript client)?
- SQS queue - send message without MessageGroupId?
- What permissions are needed in QueuePolicy to allow SNS to send to SQS?
- How to add permissions to a queue to allow a user in a different account permissions on the queue
- Can I send requests directly to AWS SQS from a web application front end using JS?
- How do I add permissions on an AWS SQS Queue?
- How do you enable anonymous write access to SQS queue?