AWS SQS - SpringBoot - 403 Forbidden
Question
I'm trying to access the AWS SQS list from a SpringBoot app which is deployed on AWS/eks but I am getting a 403 Forbidden as an error.
Do I have to add something specific to the AWS SQS Access Policy in order to grant access to the client as a producer/consumer?
I am not trying to push into the queue so far, I just want to see the list of the queues.
Thanks in advance
pom.xml
...
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-sqs</artifactId>
</dependency>
AwsSqsController.java
...
public ResponseEntity<ListQueuesResult> readQueueList() {
AmazonSQS sqs = AmazonSQSClientBuilder.defaultClient();
ListQueuesResult listOfQueues = sqs.listQueues();
log.info("List of Queues: {}", listOfQueues);
return ResponseEntity.ok(listOfQueues);
}
AWS SQS Access Policy
{ "Version": "2012-10-17", "Id": "HCDQueuePolicy", "Statement": [ { "Sid": "AlwaysEncrypted", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sqs:*", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "DenyAppOperatorEngineer", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": "sqs:SetQueueAttributes", "Resource": "arn:aws:sqs:us-east-1:X:queue-name" }, { "Sid": "AlwaysSameOrg", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sqs:*", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "Bool": { "aws:PrincipalIsAWSService": "false" }, "StringNotEquals": { "aws:PrincipalOrgID": "00000000000" } } }, { "Sid": "QueueProducerAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-X00000" } } }, { "Sid": "QueueConsumerAccessViaVpcEndpoint", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": [ "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage" ], "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-X00000" } } }, { "Sid": "QueueConsumerAccessNotViaVpcEndpoint", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": [ "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage" ], "Resource": "arn:aws:sqs:us-east-1:X:queue-name" }, { "Sid": "QueueAdminAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::X:role/role-name" }, "Action": "sqs:PurgeQueue", "Resource": "arn:aws:sqs:us-east-1:X:queue-name" }, { "Sid": "Allow S3 notifications", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:X:queue-name", "Condition": { "StringEquals": { "aws:SourceAccount": "X" } } } ] }
1 answers
solution1
0 2022-07-22 21:31:42
That is the biggest policy for an sqs i ever saw :D Is this autogenerated by some framework :) ?
Yes, you have to explicitly allow to read from the queue.
If I'm not wrong, it is with the
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes",
"sqs:DeleteMessage" Actions
You have it in 2 places, so first i would check, if the conditions for those Actions are met.
If you are in control of the policy, I would:
- make copy of it
- slowly remove security until you can connect
- find out why you could not connect originally (obligatory slap yourself on the forehead :)
- Add removed security back
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.