I have an EC2 instance with the below IAM policy attached to its role:
{
"Statement": [
... other Allow statements here
{
"Action": "sqs:*",
"Effect": "Allow",
"Resource": [
"arn:aws:sqs:us-east-1:us-east-1:111111111111:automation-document-dev"
]
}
],
"Version": "2012-10-17"
}
automation-document-dev SQS Access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSQSS3BucketNotification",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:111111111111:automation-document-dev",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:s3:::doc-storage-dev"
}
}
}
]
}
When I SSH to the EC2 instance and execute aws sqs get-queue-url --queue-name automation-document-dev
I get this error:
An error occurred (AWS.SimpleQueueService.NonExistentQueue) when calling the GetQueueUrl operation:
The specified queue does not exist or you do not have access to it.
What I am missing here? The IAM role/policy looks like it should have all of the permissions it needs to access the queue (I used get-queue-url action as a test). From what I know, I don't need to change the SQS's Access Policy as long as the EC2 instance role has permission to use the service.
You have the wrong resource arn in the iam role policy, it has region added two times:- arn:aws:sqs:us-east-1:us-east-1:111111111111:automation-document-dev. Please change it to: arn:aws:sqs:us-east-1:111111111111:automation-document-dev.