Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

What permissions are required for IAM role to perform SQS DLQ redrive?

0

I have granted the following permissions for the IAM role on the deadletter queue:

sqs:DeleteMessage
sqs:GetQueueAttributes
sqs:ListDeadLetterSourceQueues
sqs:PurgeQueue
sqs:ReceiveMessage
sqs:SendMessage

And I have granted the following permissions for the IAM role on the source (destination) queue:

sqs:SendMessage

However, when trying to start the DLQ redrive via the AWS console UI, it shows an error

Failed to create redrive task.
Error code: AccessDenied

Upon viewing the browser developer console, the SQS API POST call is getting 403 Forbidden on Action=CreateMoveTask

The permission sqs:CreateMoveTask does not exist to grant to the IAM role so I am confused as to what permissions need to be granted to allow a DLQ redrive?

Argomenti
Sicurezza, identità e conformitàServerlessIntegrazione delle applicazioni
Tag
Gestione identità e accesso AWSServizio Amazon Simple QueuePolitiche IAM
Lingua
English
rePost-User-0842866
posta un anno fa3124 visualizzazioni
1 Risposta
1

CreateMoveTask is a hidden API that apparently is on the list to be made public at some point. It would use permissions as defined in https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html.

In https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue-redrive.html it provides the minimum queue permissions needed to start a redrive:

  • Add the sqs:ReceiveMessage, sqs:DeleteMessage and sqs:GetQueueAttributes of the dead-letter queue. If the dead-letter queue is encrypted (also known as an SSE queue), kms:Decrypt is also required.
  • Add the sqs:SendMessage of the destination queue. If the destination queue is encrypted, kms:GenerateDataKey and kms:Decrypt are also required.
ESPERTO
skinsman
con risposta un anno fa
  • rePost-User-0842866
    un anno fa

    So as of right now it isn't possible to grant this sqs:CreateMoveTask permission to an IAM role and therefore isn't possible to allow the DLQ redrive feature without admin access?

  • skinsman ESPERTO
    un anno fa

    There's not always a 1:1 correspondence of API calls and permissions. Think of CreateMoveTask as a high-level function that uses lower-level functions (Receive, Delete, GetQueueAttributes, Send) that have corresponding permissions. If you set up the queue permissions I listed above, plus permissions for the same on your IAM principal then it should work OK.

  • rePost-User-0842866
    un anno fa

    Right, I did set up the permissions listed in the "Configuring a dead-letter queue redrive" article you linked but the IAM role is still unable to perform the DLQ redrive. I even tried granting sqs:* on the deadletter and the destination queue for the principal but it still receives a permission error on CreateMoveTask. This makes me think there is potentially another permission that needs to be granted outside of the sqs scope but it's not documented anywhere.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente