sqs-dg-2009-02-01

More documents

Recommendations

Info

Amazon Simple Queue Service Developer GuideShared QueuesShared QueuesTopics• Simple API for Shared Queues (p. 29)• Advanced API for Shared Queues (p. 29)• Understanding Permissions (p. 29)• Granting Anonymous Access to a Queue (p. 30)Amazon SQS includes methods to share your queues so others can use them, using permissions set inan access control policy. A permission gives access to another person to use your queue in some particularway. A policy is the actual document that contains the permissions you've granted.Amazon SQS offers two methods for setting a policy: a simple API and an advanced API. In the simpleAPI, SQS generates an access control policy for you. In the advanced API, you create the access controlpolicy.Simple API for Shared QueuesThe simple API for sharing a queue has two operations:• AddPermission• RemovePermissionWith the Simple API, Amazon SQS writes the policy in the required language for you based on theinformation you include in the AddPermission operation. However, the policy that Amazon SQS generatesis limited in scope. You can grant permissions to principals, but you can't specify restrictions.Advanced API for Shared QueuesWith the advanced API, you write the policy yourself directly in the access policy language and uploadthe policy with the SetQueueAttributes operation. The advanced API allows you to deny access or toapply finer access restrictions (for example, based on time or based on IP address).If you choose to write your own policies, you need to understand how policies are structured. For completereference information about policies, see Using The Access Policy Language (p. 32). For examples ofpolicies, see Amazon SQS Policy Examples (p. 57).Understanding PermissionsA permission is the type of access you give to a principal (the user receiving the permission). You giveeach permission a label that identifies that permission. If you want to delete that permission in the future,you use that label to identify the permission. If you want to see what permissions are on a queue, usethe GetQueueAttributes operation. Amazon SQS returns the entire policy (containing all the permissions).Amazon SQS supports the permission types shown in the following table.Permission*ReceiveMessageDescriptionThis permission type grants the following actions to a principal on a sharedqueue: receive messages, send messages, delete messages, change amessage's visibility, get a queue's attributes.This grants permission to receive messages in the queue.API Version 2009-02-0129
Amazon Simple Queue Service Developer GuideGranting Anonymous Access to a QueuePermissionSendMessageDeleteMessageChangeMessageVisibilityGetQueueAttributesDescriptionThis grants permission to send messages to the queue.This grants permission to delete messages from the queue.This grants permission to extend or terminate the read lock timeout of aspecified message. For more information about visibility timeout, see VisibilityTimeout (p. 8). For more information about this permission type, see theChangeMessageVisibility operation.This grants permission to receive all of the queue attributes except the policy,which can only be accessed by the queue's owner. For more information,see the GetQueueAttributes operation..Permissions for each of the different permission types are considered separate permissions by AmazonSQS, even though * includes the access provided by the other permission types. For example, it ispossible to grant both * and SendMessage permissions to a user, even though a * includes the accessprovided by SendMessage.This concept applies when you remove a permission. If a principal has only a * permission, requestingto remove a SendMessage permission does not leave the principal with an "everything but" permission.Instead, the request does nothing, because the principal did not previously possess an explicitSendMessage permission.If you want to remove * and leave the principal with just the ReceiveMessage permission, first add theReceiveMessage permission, then remove the * permission.TipYou give each permission a label that identifies that permission. If you want to delete thatpermission in the future, you use that label to identify the permission.NoteIf you want to see what permissions are on a queue, use the GetQueueAttributes operation. Theentire policy (containing all the permissions) is returned.Granting Anonymous Access to a QueueYou can allow shared queue access to anonymous users. Such access requires no signature or AccessKey ID.To allow anonymous access you must write your own policy, setting the Principal to *. For informationabout writing your own policies, see Using The Access Policy Language (p. 32).CautionKeep in mind that the queue owner is responsible for all costs related to the queue. Thereforeyou probably want to limit anonymous access in some other way (by time or IP address, forexample).API Version 2009-02-0130
Page 1 and 2: Amazon Simple Queue ServiceDevelope
Page 3 and 4: Amazon Simple Queue Service Develop
Page 31: Amazon Simple Queue Service Develop

sqs-dg-2009-02-01

Create successful ePaper yourself

Delete template?

Save as template?