CODEWITHSUNDEEP
amazon-web-servicesaws-lambdaboto3amazon-iamamazon-sqs
supremus_58
supremus_58

Reputation: 57

Limiting permissions for aws sqs:ListQueues

Is it possible to limit the permissions to the amount of queues that a function can pull when using boto3 to list sqs queues?

I'm currently using boto3 to pull a list of queues according to a prefix:

sqs = boto3.client('sqs')
response = sqs.list_queues(
   QueueNamePrefix = 'some-prefix'
)

I'm only able to make this work w/ the following policy:

{
   "Action": "sqs:ListQueues",
   "Effect": "Allow",
   "Resource": "*"
}

editing this to limit the resource like so:

{
   "Action": "sqs:ListQueues",
   "Effect": "Allow",
   "Resource": "some-prefix*"
}

or using a condition:

{
   "Action": "sqs:ListQueues",
   "Effect": "Allow",
   "Resource": "*",
   "Condition": {"StringLike":{"aws:SourceArn": "some-prefix*"}}
}

gets me an AccesDenied.

In the API policy documentation for sqs the ListQueues permission resource is stated as arn:aws:sqs:region:account_id:*. I'm wondering if there's any way to limit the permission so that my python function would not have the ability to get access to list all queues in sqs.

Upvotes: 2

Views: 2095

Answers (1)

John Rotenstein
John Rotenstein

Reputation: 270174

Looking at Actions, resources, and condition keys for Amazon SQS - Service Authorization Reference, the ListQueues API call does not accept any Condition options.

However, it does accept a QueueNamePrefix: "A string to use for filtering the list results. Only those queues whose name begins with the specified string are returned."

Therefore, you can limit the queues by specifying your prefix in that field, rather than using a Condition.

Upvotes: 1

Related Questions