How to grant access to SQS in Serverless.yml


#1

I am trying to grant access to a SQS queue thru the serverless.yml. Below is applicable part of serverless.yml granting permission (I’ve changed my id and queue name for obvious reasons). Am I formatting the arn improperly somehow?

provider:
name: aws
runtime: python3.6

iamRoleStatements:
- Effect: "Allow"
Action:
- “sqs:SendMessage”
- “sqs:GetQueueUrl”
- "sqs:ListQueues"
Resource: “arn:aws:sqs:us-east-1:000000000000:MyQueue.fifo”

If I use this wildcard resource it works without error

Resource: “arn:aws:sqs:us-east-1::

If I use the commented wildcard Resource line instead the code works. The Python code throwing the error is:
for queue in sqs.queues.all():
print(queue.url)

The error being thrown is:
“errorMessage”: “An error occurred (AccessDenied) when calling the ListQueues operation: Access to the resource https://queue.amazonaws.com/ is denied.”,
“errorType”: “ClientError”


#2

See http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-api-permissions-reference.html

You need to grant sqs:ListQueues to arn:aws:sqs:region:account_id:* while the other permissions can be granted to individual queues.


#3

@buggy thanks for the response. That is correct. I had found it in the documentation. It makes sense that you would need permission to all the queues in order to list them out. I refactored my application so I don’t use that method anymore thus reducing the rights the role needs in order to execute the function.