AWS
4 weeks subscription
4 weeks subscription
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Amazon Simple Queue Service Developer Guide<br />
Using Temporary Security Credentials<br />
Example 4: Allow a partner to send messages to a particular queue<br />
You could do this with an SQS policy or an <strong>AWS</strong> IAM policy. Using an SQS policy might be easier if the<br />
partner has an <strong>AWS</strong> Account. However, anyone in the partner's company who possesses the <strong>AWS</strong><br />
Account credentials could send messages to the queue (and not just a particular User). We'll assume<br />
you want to limit access to a particular person (or application), so you need to treat the partner like a User<br />
within your own company, and use a <strong>AWS</strong> IAM policy instead of an SQS policy.<br />
In this example, we create a group called WidgetCo that represents the partner company, then create a<br />
User for the specific person (or application) at the partner company who needs access, and then put the<br />
User in the group.<br />
We then attach a policy that gives the group SendMessage access on the specific queue named<br />
WidgetPartnerQueue.<br />
We also want to prevent the WidgetCo group from doing anything else with queues, so we add a statement<br />
that denies permission to any Amazon SQS actions besides SendMessage on any queue besides<br />
WidgetPartnerQueue. This is only necessary if there's a broad policy elsewhere in the system that gives<br />
Users wide access to Amazon SQS.<br />
{<br />
}<br />
"Statement":[{<br />
"Effect":"Allow",<br />
"Action":"sqs:SendMessage",<br />
"Resource":"arn:aws:sqs:*:123456789012:WidgetPartnerQueue"<br />
},<br />
{<br />
"Effect":"Deny",<br />
"NotAction":"sqs:SendMessage",<br />
"NotResource":"arn:aws:sqs:*:123456789012:WidgetPartnerQueue"<br />
}<br />
]<br />
Using Temporary Security Credentials<br />
In addition to creating IAM users with their own security credentials, IAM also enables you to grant<br />
temporary security credentials to any user allowing this user to access your <strong>AWS</strong> services and resources.<br />
You can manage users who have <strong>AWS</strong> accounts; these users are IAM users.You can also manage users<br />
for your system who do not have <strong>AWS</strong> accounts; these users are called federated users. Additionally,<br />
"users" can also be applications that you create to access your <strong>AWS</strong> resources.<br />
You can use these temporary security credentials in making requests to Amazon SQS. The API libraries<br />
compute the necessary signature value using those credentials to authenticate your request. If you send<br />
requests using expired credentials Amazon SQS denies the request.<br />
For more information about IAM support for temporary security credentials, go to Granting Temporary<br />
Access to Your <strong>AWS</strong> Resources in Using IAM.<br />
Example Using Temporary Security Credentials to Authenticate an Amazon SQS Request<br />
The following example demonstrates how to obtain temporary security credentials to authenticate an<br />
Amazon SQS request.<br />
API Version 2009-02-01<br />
70