CODEWITHSUNDEEP
node.jsamazon-web-servicesamazon-sqs
blob
blob

Reputation: 473

Access Denied to amazon AWS SQS through CLI or API

I am getting access denied when I try to access the Amazon SQS through CLI or API. This is the node.js code:

// Load the AWS SDK for Node.js
var AWS = require('aws-sdk');
// Set the region 
AWS.config.update({region: 'eu-west-1'});

var credentials = new AWS.SharedIniFileCredentials({profile: 'default'});
AWS.config.credentials = credentials;

// Create the SQS service object
var sqs = new AWS.SQS({apiVersion: 'latest'});

var params = {
  MaxResults: 10
};

sqs.listQueues(params, function(err, data) {
  if (err) {
    console.log("Error", err);
  } else {
    console.log("Success", data);
  }
});

The sqs policy is the following:

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::437568002678:root",
          "arn:aws:iam::ACCOUNTID:role/MyRole",
          "arn:aws:iam::ACCOUNTID:user/username"
        ]
      },
      "Action": [
        "sqs:GetQueueAttributes",
        "sqs:SendMessage",
        "sqs:ListQueues"
      ],
      "Resource": "arn:aws:sqs:eu-west-1:ACCOUNTID:NAME"
    }
  ]
}

The complete error is:

Error AccessDenied: Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.

The credentials file is set at /home/user/.aws/credentials.

I am using one account for AWS services.

Upvotes: 1

Views: 4575

Answers (1)

John Rotenstein
John Rotenstein

Reputation: 269081

To reproduce your situation I did the following:

  • Created an IAM User with no permissions
  • Configured the AWS CLI to use credentials associated with the new IAM User
  • Created a standard (non-FIFO) Amazon SQS queue
  • Attached your policy to the queue, but with an updated Resource and Principal
  • Used the AWS CLI to send a message to the SQS queue:
aws sqs send-message --queue-url https://sqs.ap-southeast-2.amazonaws.com/123456789012/queuename --message-body foo

The message was successfully sent to the queue. This means that the Access Policy on the SQS queue was sufficient to grant permission to send the message, without requiring any additional permissions on the IAM User.

Therefore, either your AWS CLI is not using the IAM User referenced in your Access Policy or there are some permissions on the IAM User or Account SCP that is specifically denying the ability to use SendMessage().

Upvotes: 4

Related Questions