1 Answer
- Newest
- Most votes
- Most comments
1
CreateMoveTask is a hidden API that apparently is on the list to be made public at some point. It would use permissions as defined in https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html.
In https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue-redrive.html it provides the minimum queue permissions needed to start a redrive:
- Add the sqs:ReceiveMessage, sqs:DeleteMessage and sqs:GetQueueAttributes of the dead-letter queue. If the dead-letter queue is encrypted (also known as an SSE queue), kms:Decrypt is also required.
- Add the sqs:SendMessage of the destination queue. If the destination queue is encrypted, kms:GenerateDataKey and kms:Decrypt are also required.
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 4 months ago
- What's the difference between Lambda function execution role permissions and invocation permissions?AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
So as of right now it isn't possible to grant this
sqs:CreateMoveTask
permission to an IAM role and therefore isn't possible to allow the DLQ redrive feature without admin access?There's not always a 1:1 correspondence of API calls and permissions. Think of CreateMoveTask as a high-level function that uses lower-level functions (Receive, Delete, GetQueueAttributes, Send) that have corresponding permissions. If you set up the queue permissions I listed above, plus permissions for the same on your IAM principal then it should work OK.
Right, I did set up the permissions listed in the "Configuring a dead-letter queue redrive" article you linked but the IAM role is still unable to perform the DLQ redrive. I even tried granting
sqs:*
on the deadletter and the destination queue for the principal but it still receives a permission error onCreateMoveTask
. This makes me think there is potentially another permission that needs to be granted outside of thesqs
scope but it's not documented anywhere.