sqs-dg-2009-02-01
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Amazon Simple Queue Service Developer Guide
Using Temporary Security Credentials
Example 4: Allow a partner to send messages to a particular queue
You could do this with an SQS policy or an AWS IAM policy. Using an SQS policy might be easier if the
partner has an AWS Account. However, anyone in the partner's company who possesses the AWS
Account credentials could send messages to the queue (and not just a particular User). We'll assume
you want to limit access to a particular person (or application), so you need to treat the partner like a User
within your own company, and use a AWS IAM policy instead of an SQS policy.
In this example, we create a group called WidgetCo that represents the partner company, then create a
User for the specific person (or application) at the partner company who needs access, and then put the
User in the group.
We then attach a policy that gives the group SendMessage access on the specific queue named
WidgetPartnerQueue.
We also want to prevent the WidgetCo group from doing anything else with queues, so we add a statement
that denies permission to any Amazon SQS actions besides SendMessage on any queue besides
WidgetPartnerQueue. This is only necessary if there's a broad policy elsewhere in the system that gives
Users wide access to Amazon SQS.
{
}
"Statement":[{
"Effect":"Allow",
"Action":"sqs:SendMessage",
"Resource":"arn:aws:sqs:*:123456789012:WidgetPartnerQueue"
},
{
"Effect":"Deny",
"NotAction":"sqs:SendMessage",
"NotResource":"arn:aws:sqs:*:123456789012:WidgetPartnerQueue"
}
]
Using Temporary Security Credentials
In addition to creating IAM users with their own security credentials, IAM also enables you to grant
temporary security credentials to any user allowing this user to access your AWS services and resources.
You can manage users who have AWS accounts; these users are IAM users.You can also manage users
for your system who do not have AWS accounts; these users are called federated users. Additionally,
"users" can also be applications that you create to access your AWS resources.
You can use these temporary security credentials in making requests to Amazon SQS. The API libraries
compute the necessary signature value using those credentials to authenticate your request. If you send
requests using expired credentials Amazon SQS denies the request.
For more information about IAM support for temporary security credentials, go to Granting Temporary
Access to Your AWS Resources in Using IAM.
Example Using Temporary Security Credentials to Authenticate an Amazon SQS Request
The following example demonstrates how to obtain temporary security credentials to authenticate an
Amazon SQS request.
API Version 2009-02-01
70