By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to allow anonymous access for SendMessage to Amazon SQS?

0

The AWS SQS docs states that anonymous access is supported: https://aws.amazon.com/sqs/faqs/#:~:text=Q%3A%20Does%20Amazon%20SQS%20support%20anonymous%20access%3F

It also provides an example policy that grants a permission to all users: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html#:~:text=Example%205%3A%20Grant%20a%20permission%20to%20all%20users

I've tried to create an SQS queue with the following access policy:

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:*",
      "Resource": "*"
    }
  ]
}

However, an anonymous client (using a cURL request) gets the following error when trying to execute SendMessage: Access to the resource The specified queue does not exist or you do not have access to it. is denied.

A previous solution (https://stackoverflow.com/questions/32632850/how-do-you-enable-anonymous-write-access-to-sqs-queue) doesn't seem to work anymore.

Is anonymous access to SQS no longer supported by AWS?

Topics
Security, Identity, & ComplianceServerlessApplication Integration
Tags
AWS Identity and Access ManagementAmazon Simple Queue ServiceIAM Policies
Language
English
Michael
asked 5 months ago294 views
1 Answer
0

Hi,

The page https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html will give you details of the exact IAM policies to use to allow anonymous posting to SQS queues (on a tume-limited basis if needed).

See in particular examples 5 & 6.

Example 6 with time-limited allowance:

{
   "Version": "2012-10-17",
   "Id": "Queue1_Policy_UUID",
   "Statement": [{
      "Sid":"Queue1_AnonymousAccess_ReceiveMessage_TimeLimit",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:ReceiveMessage",
      "Resource": "arn:aws:sqs:*:111122223333:queue1",
      "Condition" : {
         "DateGreaterThan" : {
            "aws:CurrentTime":"2009-01-31T12:00Z"
         },
         "DateLessThan" : {
            "aws:CurrentTime":"2009-01-31T15:00Z"
         }
      }
   }]
}

Best

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 5 months ago
  • Michael
    5 months ago

    The examples above doesn't seem to work. After creating an SQS queue with that policy, trying to read messages from the queue as an anonymous user does not work.

    Running aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/xxx/queue1 --no-sign-request returns:

    An error occurred (AccessDenied) when calling the ReceiveMessage operation: Access to the resource The specified queue does not exist or you do not have access to it. is denied.
  • Michael
    5 months ago

    Interestingly, the command above (aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/xxx/queue1 --no-sign-request) works if the queue is empty and returns an empty array of messages.

    However, if there is a message in the queue, then an access denied error is returned.

    An error occurred (AccessDenied) when calling the ReceiveMessage operation: Access to the resource The specified queue does not exist or you do not have access to it. is denied.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content