AWS IAM policy for SQS

I am trying to add a policy to an existing iam user that can already perform crud on two s3 buckets here is the currently working policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "devcontrol",
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:Put*",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::blahimages/*",
        "arn:aws:s3:::blahvideos/*"
      ]
    }
  ]
}

An example policy from the documents for sqs is this

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":"sqs:*",
      "Resource":"arn:aws:sqs:*:123456789012:bob_queue*"
      }
   ]
}

So I tried this

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "devcontrol",
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:Put*",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
       ],
       "Resource": [
         "arn:aws:s3:::blahimages/*",
         "arn:aws:s3:::blahvideos/*"
        ]
     },
     {
       "Effect":"Allow",
       "Action":"sqs:*",
       "Resource":"arn:aws:sqs:*:myarn"
      }
    ]
  }

I did not get any parse errors but the simulator was still returning denied for the sqs queue

Also really I just want this user to be able to add messages to the queue, receive them and delete them whereas the above policy would add all actions I believe


Your SQS ARN is invalid : "arn:aws:sqs:*:myarn" .

You should use arn:aws:sqs:<region name>:<account id>:<queue name> instead. (you're missing the <account id> ).

The region name might be replaced by a * if you want your policy to be valid in multiple regions. But the account id is mandatory as Queue names are unique within an AWS Master Account and Region only.

See http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html for example of valid SQS policies.

链接地址: http://www.djcxy.com/p/20102.html

上一篇: IOS

下一篇: 适用于SQS的AWS IAM策略