AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

How to allow anonymous access for SendMessage to Amazon SQS?

0

The AWS SQS docs states that anonymous access is supported: https://aws.amazon.com/sqs/faqs/#:~:text=Q%3A%20Does%20Amazon%20SQS%20support%20anonymous%20access%3F

It also provides an example policy that grants a permission to all users: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html#:~:text=Example%205%3A%20Grant%20a%20permission%20to%20all%20users

I've tried to create an SQS queue with the following access policy:

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:*",
      "Resource": "*"
    }
  ]
}

However, an anonymous client (using a cURL request) gets the following error when trying to execute SendMessage: Access to the resource The specified queue does not exist or you do not have access to it. is denied.

A previous solution (https://stackoverflow.com/questions/32632850/how-do-you-enable-anonymous-write-access-to-sqs-queue) doesn't seem to work anymore.

Is anonymous access to SQS no longer supported by AWS?

トピック
セキュリティ、アイデンティティ、コンプライアンスサーバーレスアプリケーション統合
タグ
AWS Identity and Access ManagementAmazon Simple Queue ServiceIAM ポリシー
言語
English
Michael
質問済み 6ヶ月前310ビュー
1回答
0

Hi,

The page https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html will give you details of the exact IAM policies to use to allow anonymous posting to SQS queues (on a tume-limited basis if needed).

See in particular examples 5 & 6.

Example 6 with time-limited allowance:

{
   "Version": "2012-10-17",
   "Id": "Queue1_Policy_UUID",
   "Statement": [{
      "Sid":"Queue1_AnonymousAccess_ReceiveMessage_TimeLimit",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:ReceiveMessage",
      "Resource": "arn:aws:sqs:*:111122223333:queue1",
      "Condition" : {
         "DateGreaterThan" : {
            "aws:CurrentTime":"2009-01-31T12:00Z"
         },
         "DateLessThan" : {
            "aws:CurrentTime":"2009-01-31T15:00Z"
         }
      }
   }]
}

Best

Didier

profile pictureAWS
エキスパート
Didier_Durand
回答済み 6ヶ月前
  • Michael
    6ヶ月前

    The examples above doesn't seem to work. After creating an SQS queue with that policy, trying to read messages from the queue as an anonymous user does not work.

    Running aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/xxx/queue1 --no-sign-request returns:

    An error occurred (AccessDenied) when calling the ReceiveMessage operation: Access to the resource The specified queue does not exist or you do not have access to it. is denied.
  • Michael
    6ヶ月前

    Interestingly, the command above (aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/xxx/queue1 --no-sign-request) works if the queue is empty and returns an empty array of messages.

    However, if there is a message in the queue, then an access denied error is returned.

    An error occurred (AccessDenied) when calling the ReceiveMessage operation: Access to the resource The specified queue does not exist or you do not have access to it. is denied.

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ