sqs-dg-2009-02-01
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Amazon Simple Queue Service Developer Guide<br />
Using Temporary Security Credentials<br />
Example 4: Allow a partner to send messages to a particular queue<br />
You could do this with an SQS policy or an AWS IAM policy. Using an SQS policy might be easier if the<br />
partner has an AWS Account. However, anyone in the partner's company who possesses the AWS<br />
Account credentials could send messages to the queue (and not just a particular User). We'll assume<br />
you want to limit access to a particular person (or application), so you need to treat the partner like a User<br />
within your own company, and use a AWS IAM policy instead of an SQS policy.<br />
In this example, we create a group called Wi<strong>dg</strong>etCo that represents the partner company, then create a<br />
User for the specific person (or application) at the partner company who needs access, and then put the<br />
User in the group.<br />
We then attach a policy that gives the group SendMessage access on the specific queue named<br />
Wi<strong>dg</strong>etPartnerQueue.<br />
We also want to prevent the Wi<strong>dg</strong>etCo group from doing anything else with queues, so we add a statement<br />
that denies permission to any Amazon SQS actions besides SendMessage on any queue besides<br />
Wi<strong>dg</strong>etPartnerQueue. This is only necessary if there's a broad policy elsewhere in the system that gives<br />
Users wide access to Amazon SQS.<br />
{<br />
}<br />
"Statement":[{<br />
"Effect":"Allow",<br />
"Action":"<strong>sqs</strong>:SendMessage",<br />
"Resource":"arn:aws:<strong>sqs</strong>:*:123456789<strong>01</strong>2:Wi<strong>dg</strong>etPartnerQueue"<br />
},<br />
{<br />
"Effect":"Deny",<br />
"NotAction":"<strong>sqs</strong>:SendMessage",<br />
"NotResource":"arn:aws:<strong>sqs</strong>:*:123456789<strong>01</strong>2:Wi<strong>dg</strong>etPartnerQueue"<br />
}<br />
]<br />
Using Temporary Security Credentials<br />
In addition to creating IAM users with their own security credentials, IAM also enables you to grant<br />
temporary security credentials to any user allowing this user to access your AWS services and resources.<br />
You can manage users who have AWS accounts; these users are IAM users.You can also manage users<br />
for your system who do not have AWS accounts; these users are called federated users. Additionally,<br />
"users" can also be applications that you create to access your AWS resources.<br />
You can use these temporary security credentials in making requests to Amazon SQS. The API libraries<br />
compute the necessary signature value using those credentials to authenticate your request. If you send<br />
requests using expired credentials Amazon SQS denies the request.<br />
For more information about IAM support for temporary security credentials, go to Granting Temporary<br />
Access to Your AWS Resources in Using IAM.<br />
Example Using Temporary Security Credentials to Authenticate an Amazon SQS Request<br />
The following example demonstrates how to obtain temporary security credentials to authenticate an<br />
Amazon SQS request.<br />
API Version <strong>2009</strong>-<strong>02</strong>-<strong>01</strong><br />
70