(aws-sqs): Granting "send message" doesn't grant SendMessageBatch privileges
See original GitHub issueGranting “send message” doesn’t grant sqs:SendMessageBatch privileges.
Reproduction Steps
queue = sqs.Queue(
self, "items",
visibility_timeout=core.Duration.seconds(300),
)
queue.grant_send_messages(lambdaFunction)
What did you expect to happen?
I expected that all SQS API actions for sending messages would be included in the inline policy attached to the Lambda function’s role.
What actually happened?
Only sqs:SendMessage, sqs:GetQueueAttributes, and sqs:GetQueueUrl were granted to the Lambda function.
{
"Action": [
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:us-east-1:489466759351:whatsnew-app-items07D08F4B-L3JMVWUZHL4G",
"Effect": "Allow"
}
Environment
- CDK CLI Version : 1.104.0 (build 44d3383)
- Framework Version:
- Node.js Version: v16.1.0
- OS : MacOS
- Language (Version): Python 3.7
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Troubleshoot AccessDenied errors on Amazon SQS API calls
“An error occurred (AccessDenied) when calling the SendMessage operation: ... permissions must be granted to both producers and consumers.
Read more >What permissions do I need to access a SQS queue?
I have verified that the queue name is correct. Here is the permission I granted to the IAM role: enter image description here....
Read more >class SQS. Client - Boto3 Docs 1.26.36 documentation
Specifying SendMessage , DeleteMessage , or ChangeMessageVisibility for ActionName.n also grants permissions for the corresponding batch versions of those ...
Read more >aws sqs add-permission - Fig
Only you, the owner of the queue, can grant or deny permissions to the queue. ... the Amazon SQS Access Policy Language in...
Read more >Grant AWS Lambda Access to an SQS Queue | bobbyhadz
The policy should grant permissions for all the Actions the function needs to perform on the queue. For example, the following policy grants...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I don’t think the ability to send one message per API call or 10 messages per API call is a privilege difference. I wouldn’t expect that to be an issue for a “least privilege” approach.
If you buy that argument, then I think the module should take the approach that makes it easiest on the developer and just grant all of the API actions that allow
SendMessage
. The other approaches you proposed are more complicated for users of the batch API. If you chose to take the approach ofgrantSendBatch
, theGetQueueUrl
andGetQueueAttributes
actions should be included in the resultant policy.This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.