Testing attribute-based access control in Amazon SQS
The following examples show you how to test attribute-based access control in Amazon SQS.
Create a queue with the tag key set to environment and the tag value set to prod
Run this Amazon CLI command to test creating the queue with the tag key set to environment and the tag value set to prod. If you don't have Amazon CLI, you can download and configure it for your machine.
aws sqs create-queue --queue-name prodQueue —region us-east-1 —tags "environment=prod"
You receive an AccessDenied
error from the Amazon SQS endpoint:
An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource <queueUrl> is denied.
This is because the tag value on the IAM user does not match the tag passed in the
CreateQueue
API call. Remember that we applied a tag to the IAM user with
the key set to environment
and the value set to beta
.
Create a queue with the tag key set to environment and the tag value set to beta
Run the this CLI command to test creating a queue with the tag key set to
environment
and the tag value set to beta
.
aws sqs create-queue --queue-name betaQueue —region us-east-1 —tags "environment=beta"
You receive a message confirming the successful creation of the queue, similar to the one below.
{ "QueueUrl": "<queueUrl>“ }
Sending a message to a queue
Run this CLI command to test sending a message to a queue.
aws sqs send-message --queue-url <queueUrl> --message-body testMessage
The response shows a successful message delivery to the Amazon SQS queue. The IAM user
permission allows you to send a message to a queue that has a beta
tag. The
response includes MD5OfMessageBody
and MessageId
containing the
message.
{ "MD5OfMessageBody": "<MD5OfMessageBody>", "MessageId": "<MessageId>" }