By using AWS re:Post, you agree to the AWS re:Post Terms of Use

What permissions are required for IAM role to perform SQS DLQ redrive?

0

I have granted the following permissions for the IAM role on the deadletter queue:

sqs:DeleteMessage
sqs:GetQueueAttributes
sqs:ListDeadLetterSourceQueues
sqs:PurgeQueue
sqs:ReceiveMessage
sqs:SendMessage

And I have granted the following permissions for the IAM role on the source (destination) queue:

sqs:SendMessage

However, when trying to start the DLQ redrive via the AWS console UI, it shows an error

Failed to create redrive task.
Error code: AccessDenied

Upon viewing the browser developer console, the SQS API POST call is getting 403 Forbidden on Action=CreateMoveTask

The permission sqs:CreateMoveTask does not exist to grant to the IAM role so I am confused as to what permissions need to be granted to allow a DLQ redrive?

1 Answer
1

CreateMoveTask is a hidden API that apparently is on the list to be made public at some point. It would use permissions as defined in https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html.

In https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue-redrive.html it provides the minimum queue permissions needed to start a redrive:

  • Add the sqs:ReceiveMessage, sqs:DeleteMessage and sqs:GetQueueAttributes of the dead-letter queue. If the dead-letter queue is encrypted (also known as an SSE queue), kms:Decrypt is also required.
  • Add the sqs:SendMessage of the destination queue. If the destination queue is encrypted, kms:GenerateDataKey and kms:Decrypt are also required.
EXPERT
answered 2 years ago
  • So as of right now it isn't possible to grant this sqs:CreateMoveTask permission to an IAM role and therefore isn't possible to allow the DLQ redrive feature without admin access?

  • There's not always a 1:1 correspondence of API calls and permissions. Think of CreateMoveTask as a high-level function that uses lower-level functions (Receive, Delete, GetQueueAttributes, Send) that have corresponding permissions. If you set up the queue permissions I listed above, plus permissions for the same on your IAM principal then it should work OK.

  • Right, I did set up the permissions listed in the "Configuring a dead-letter queue redrive" article you linked but the IAM role is still unable to perform the DLQ redrive. I even tried granting sqs:* on the deadletter and the destination queue for the principal but it still receives a permission error on CreateMoveTask. This makes me think there is potentially another permission that needs to be granted outside of the sqs scope but it's not documented anywhere.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions