How do I troubleshoot "AccessDenied" or "AccessDeniedException" errors on Amazon SQS API calls?
4 minute read
I ran an Amazon Simple Queue Service (Amazon SQS) API call and received an “AccessDenied” error.
When I run an Amazon SQS API call, I receive an "AccessDenied" or "AccessDeniedException" error similar to the following:
"An error occurred (AccessDenied) when calling the SendMessage operation: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied."
"An error occurred (KMS.AccessDeniedException) when calling the SendMessage operation: User: arn:aws:iam::xxxxx:user/xxxx is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-east-1:xxxx:key/xxxx with an explicit deny."
If your Amazon SQS queue has server-side encryption (SSE) turned on, then permissions must be granted to both producers and consumers. The required permissions are provided with an AWS managed AWS KMS key or a customer managed key. A customer managed key policy must include access permissions for each queue producer and consumer. Or, update the IAM policy to include the required AWS KMS permissions for the AWS KMS key.
To access an SSE Amazon SQS queue from a different account, the queue must use a customer managed key. You can't use an AWS managed key because only customer managed key policies can be modified. The AWS KMS key policy must allow cross account access of the AWS KMS key. The IAM policy must include permissions to access the AWS KMS key.
This example VPC endpoint policy specifies that the IAM user MyUser is allowed to send messages to the SQS queue MyQueue. Other actions, IAM users, and SQS resources are denied access through the VPC endpoint.