How can I give a role permission to call my SQS que?

Question

I currently have an Account A that is calling account B (my current account) and assuming a role that gives it permissions to perform operations on SQS such as encrypt and publish messages.

I had to manually modify the SQS permissions to get it to work and allow root access to the current account that the assume role is in.

The issue is, this is overly permissive permissions and I do not want root account access to the SQS if I can avoid it.

I'm wondering if I can add the policy to only accept the role that's being assumed, opposed to a root user credenetial. Is it possible to add a ROLE in place of the USER or will I need to create another user with the role that's being assumed for this to work?

For example, here's my policy

```

{
  "Version": "2012-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": [
    {
      "Sid": "Que",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam:::root"
      },
      "Action": "sqs:*",
      "Resource": "arn:aws:sqs:us-east-1::"
    }
  ]
}
```

Accepted Answer

Assuming you still want to use SQS Policies, you should be able to set one up that grants access to a certain role or user from a given account as illustrated in the example below:

```
{
   "Version": "2012-10-17",
   "Id": "Queue1_Policy_UUID",
   "Statement": [{
      "Sid":"Queue1_AllActions",
      "Effect": "Allow",
      "Principal": {
         "AWS": [
            "arn:aws:iam::111122223333:role/role1",
            "arn:aws:iam::111122223333:user/username1"
         ]
      },
      "Action": "sqs:*",
      "Resource": "arn:aws:sqs:us-east-2:123456789012:queue1"
   }]
}
```

You can find more information in the [documentation](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html)

How can I give a role permission to call my SQS que?

相关内容