Issue connecting to AWS SQS using IAM Role with Boto 2.38

Question

I cannot authenticate to AWS Simple Queue Service (SQS) from an EC2 instance using its associated IAM Role with Boto 2.38 library (and Python 3 ).

I couldn't find anything specific on documentation about it, but as far as I could understand from examples and other questions around, it was supposed to work just opening a connection like this.

conn = boto.sqs.connect_to_region('us-east-1')
queue = conn.get_queue('my_queue')

Instead, I get a null object from the connect method, unless I provide credentials on my environment, or explicitly to the method.

I'm pretty sure my role is ok, because it works for other services like S3 , describing EC2 tags, sending metrics to CloudWatch , etc, all transparently. My SQS policy is like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SQSFullAccess",
      "Effect": "Allow",
      "Action": [
        "sqs:*"
      ],
      "Resource": [
        "arn:aws:sqs:us-east-1:<account_id>:<queue_name1>",
        "arn:aws:sqs:us-east-1:<account_id>:<queue_name2>"
      ]
    }
  ]
}

In order to get rid of any suspicion about my policy, I even associated a FullAdmin policy to my role temporarily, without success.

I also verified that it won't work with AWS CLI as well (which, as far as I know, uses Boto as well). So, the only conclusion I could come up with is that this is a Boto issue with SQS client.

Would anyone have a different experience with it? I know that switching to Boto 3 would probably solve it, but I don't consider doing it right now and if it is really a bug, I think it should be reported on git, anyway.

Thanks.

Answer 1

Answering myself.

Boto's 2.38 SQS client does work with IAM Roles. I had a bug in my application.

As for AWS CLI, a credential file ( ~/.aws/credentials ) was present in my local account, and being used instead of the instance's role, because the role is the last one to be looked up by the CLI.