1 回答
- 最新
- 投票最多
- 评论最多
1
CreateMoveTask is a hidden API that apparently is on the list to be made public at some point. It would use permissions as defined in https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html.
In https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-dead-letter-queue-redrive.html it provides the minimum queue permissions needed to start a redrive:
- Add the sqs:ReceiveMessage, sqs:DeleteMessage and sqs:GetQueueAttributes of the dead-letter queue. If the dead-letter queue is encrypted (also known as an SSE queue), kms:Decrypt is also required.
- Add the sqs:SendMessage of the destination queue. If the destination queue is encrypted, kms:GenerateDataKey and kms:Decrypt are also required.
So as of right now it isn't possible to grant this
sqs:CreateMoveTaskpermission to an IAM role and therefore isn't possible to allow the DLQ redrive feature without admin access?There's not always a 1:1 correspondence of API calls and permissions. Think of CreateMoveTask as a high-level function that uses lower-level functions (Receive, Delete, GetQueueAttributes, Send) that have corresponding permissions. If you set up the queue permissions I listed above, plus permissions for the same on your IAM principal then it should work OK.
Right, I did set up the permissions listed in the "Configuring a dead-letter queue redrive" article you linked but the IAM role is still unable to perform the DLQ redrive. I even tried granting
sqs:*on the deadletter and the destination queue for the principal but it still receives a permission error onCreateMoveTask. This makes me think there is potentially another permission that needs to be granted outside of thesqsscope but it's not documented anywhere.