9 months ago


Amazon Simple Queue

Amazon Simple Queue Service Developer Guide Example AWS IAM Policies for Amazon SQS Example 2: Allow developers to write messages to a shared test queue In this example, we create a group for developers and attach a policy that lets the group use the Amazon SQS SendMessage action, but only with the AWS Account's queue named CompanyTestQueue. { } "Statement":[{ "Effect":"Allow", "Action":"sqs:SendMessage", "Resource":"arn:aws:sqs:*:123456789012:CompanyTestQueue" } ] Example 3: Allow managers to get the general size of queues In this example, we create a group for managers and attach a policy that lets the group use the Amazon SQS GetQueueAttributes action with all of the AWS Account's queues. { } "Statement":[{ "Effect":"Allow", "Action":"sqs:GetQueueAttributes", "Resource":"*" } ] API Version 2009-02-01 69

Amazon Simple Queue Service Developer Guide Using Temporary Security Credentials Example 4: Allow a partner to send messages to a particular queue You could do this with an SQS policy or an AWS IAM policy. Using an SQS policy might be easier if the partner has an AWS Account. However, anyone in the partner's company who possesses the AWS Account credentials could send messages to the queue (and not just a particular User). We'll assume you want to limit access to a particular person (or application), so you need to treat the partner like a User within your own company, and use a AWS IAM policy instead of an SQS policy. In this example, we create a group called WidgetCo that represents the partner company, then create a User for the specific person (or application) at the partner company who needs access, and then put the User in the group. We then attach a policy that gives the group SendMessage access on the specific queue named WidgetPartnerQueue. We also want to prevent the WidgetCo group from doing anything else with queues, so we add a statement that denies permission to any Amazon SQS actions besides SendMessage on any queue besides WidgetPartnerQueue. This is only necessary if there's a broad policy elsewhere in the system that gives Users wide access to Amazon SQS. { } "Statement":[{ "Effect":"Allow", "Action":"sqs:SendMessage", "Resource":"arn:aws:sqs:*:123456789012:WidgetPartnerQueue" }, { "Effect":"Deny", "NotAction":"sqs:SendMessage", "NotResource":"arn:aws:sqs:*:123456789012:WidgetPartnerQueue" } ] Using Temporary Security Credentials In addition to creating IAM users with their own security credentials, IAM also enables you to grant temporary security credentials to any user allowing this user to access your AWS services and resources. You can manage users who have AWS accounts; these users are IAM users.You can also manage users for your system who do not have AWS accounts; these users are called federated users. Additionally, "users" can also be applications that you create to access your AWS resources. You can use these temporary security credentials in making requests to Amazon SQS. The API libraries compute the necessary signature value using those credentials to authenticate your request. If you send requests using expired credentials Amazon SQS denies the request. For more information about IAM support for temporary security credentials, go to Granting Temporary Access to Your AWS Resources in Using IAM. Example Using Temporary Security Credentials to Authenticate an Amazon SQS Request The following example demonstrates how to obtain temporary security credentials to authenticate an Amazon SQS request. API Version 2009-02-01 70