使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

How to allow anonymous access for SendMessage to Amazon SQS?

0

The AWS SQS docs states that anonymous access is supported: https://aws.amazon.com/sqs/faqs/#:~:text=Q%3A%20Does%20Amazon%20SQS%20support%20anonymous%20access%3F

It also provides an example policy that grants a permission to all users: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html#:~:text=Example%205%3A%20Grant%20a%20permission%20to%20all%20users

I've tried to create an SQS queue with the following access policy:

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SQS:*",
      "Resource": "*"
    }
  ]
}

However, an anonymous client (using a cURL request) gets the following error when trying to execute SendMessage: Access to the resource The specified queue does not exist or you do not have access to it. is denied.

A previous solution (https://stackoverflow.com/questions/32632850/how-do-you-enable-anonymous-write-access-to-sqs-queue) doesn't seem to work anymore.

Is anonymous access to SQS no longer supported by AWS?

主題
安全性、身分識別與合規無伺服器應用程式整合
標籤
AWS Identity and Access ManagementAmazon Simple Queue ServiceIAM 政策
語言
English
Michael
已提問 6 個月前檢視次數 310 次
1 個回答
0

Hi,

The page https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html will give you details of the exact IAM policies to use to allow anonymous posting to SQS queues (on a tume-limited basis if needed).

See in particular examples 5 & 6.

Example 6 with time-limited allowance:

{
   "Version": "2012-10-17",
   "Id": "Queue1_Policy_UUID",
   "Statement": [{
      "Sid":"Queue1_AnonymousAccess_ReceiveMessage_TimeLimit",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "sqs:ReceiveMessage",
      "Resource": "arn:aws:sqs:*:111122223333:queue1",
      "Condition" : {
         "DateGreaterThan" : {
            "aws:CurrentTime":"2009-01-31T12:00Z"
         },
         "DateLessThan" : {
            "aws:CurrentTime":"2009-01-31T15:00Z"
         }
      }
   }]
}

Best

Didier

profile pictureAWS
專家
Didier_Durand
已回答 6 個月前
  • Michael
    6 個月前

    The examples above doesn't seem to work. After creating an SQS queue with that policy, trying to read messages from the queue as an anonymous user does not work.

    Running aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/xxx/queue1 --no-sign-request returns:

    An error occurred (AccessDenied) when calling the ReceiveMessage operation: Access to the resource The specified queue does not exist or you do not have access to it. is denied.
  • Michael
    6 個月前

    Interestingly, the command above (aws sqs receive-message --queue-url https://sqs.us-east-1.amazonaws.com/xxx/queue1 --no-sign-request) works if the queue is empty and returns an empty array of messages.

    However, if there is a message in the queue, then an access denied error is returned.

    An error occurred (AccessDenied) when calling the ReceiveMessage operation: Access to the resource The specified queue does not exist or you do not have access to it. is denied.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容