How to Set the Principal to 437568002678 for amazon SQS Queue permissions


#1

Mentioned in MWS DOCS:
link

  1. Log in to the Amazon Web Services (AWS) Management Console using your Amazon AWS username and password.
  2. Click SQS to open the Amazon SQS Management Console.
  3. Select the standard queue from which you want to receive notifications.
  4. Click the Permissions tab.
  5. Click Add a Permission.
  6. In the dialog that opens: set the Effect to Allow. Set the Principal to 437568002678. Set the Actions to SendMessage and GetQueueAttributes. Finally, click Add Permission to save your changes.

But the SQS console panel has been modified. How should I configure it now?

I don’t know much about SQS, so I hope to get help.
Some of my settings are like this, but I got an error
“InvalidAttributeValue: Invalid value for the parameter Policy.”

{
“Sid”: “__owner_statement”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::437568002678:root”
},
“Action”: “SQS:*”,
“Resource”: “arn:aws:sqs:(here is my queue address)
},


#2

I agree that the new interface isn’t any easier to use.

Using the basic method, under Define who can send messages to the queue
add
arn:aws:iam::437568002678:root

Then click over to the advanced json view, scroll to the bottom statement (there will be two permissions statements now, the first being owner with all permissions), and add
“SQS:GetQueueAttributes” to the new statement under the "SQS:SendMessage", line (don’t forget the trailing comma)

The final result will look like this:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "(your account)"
      },
      "Action": [
        "SQS:*"
      ],
      "Resource": "arn:aws:sqs:(region:account:quename)"
    },
    {
      "Sid": "__sender_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::437568002678:root"
        ]
      },
      "Action": [
        "SQS:SendMessage",
        “SQS:GetQueueAttributes”
      ],
      "Resource": "arn:aws:sqs:(region:account:quename)"
    }
  ]
}

My working json permissions from the old setup look like this:

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:(region:account:quename)/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "any-unique-name",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::437568002678:root"
      },
      "Action": [
        "SQS:SendMessage",
        "SQS:GetQueueAttributes"
      ],
      "Resource": "arn:aws:sqs:(region:account:queuename)"
    }
  ]
}

The main difference between the old and the new ways is that with my old setup I have to explicitly add permissions to processes in my account to access the queue. I prefer this, since only a few lambda functions need access.

Happy message subscribing!


#3

Thanks Autonomoose.
I have solved this problem.
The region I have always selected is Hong Kong. When I set “AWS”: “arn:aws:iam::437568002678:root”, the console will report an error: InvalidAttributeValue: Invalid value for the parameter Policy.
However, when I switch the region to California, do the same settings and it works.
Thank you very much for your reply. Have a good day