Access denied to SQS via AWS SDK
Asked Answered
H

3

49

I'm currently working on a website developed with Symfony2 and I need to send messages in an Amazon SQS. In order to do that I added to my composer.json:

"aws/aws-sdk-php": "2.4.*"

Then when I try to create a queue or list queues I've got a 403 error saying:

Access to the resource https://sqs.us-west-2.amazonaws.com/ is denied.

EDIT: added the full error message

AWS Error Code: AccessDenied, Status Code: 403, AWS Request ID: 2fe34c11-7af8-5445-a768-070159a0953e, AWS Error Type: client, AWS Error Message: Access to the resource https://sqs.us-west-2.amazonaws.com/ is denied., User-Agent: aws-sdk-php2/2.4.11 Guzzle/3.7.4 curl/7.25.0 PHP/5.4.3

Here is a sample code of what I do:

$aws = Aws::factory(array(
  'key'    => 'my-key',
  'secret' => 'my-secret',
  'region' => 'us-west-2'
));

$sqs = $aws->get('sqs');

return new Response(var_dump($sqs->listQueues()));

What do I do wrong to get this error ?

Hesperides answered 27/11, 2013 at 16:58 Comment(1)
I ensured that it wasn't a proxy problem by adding curl options into the config array.Hesperides
H
80

After digging I discovered that the account I was using wasn't granted the access to SQS service.

To give a SQS access to an account you have to go to the amazon management console. Then click on IAM. Under this section click on Users and then you can manage permission for each account you created.

Hesperides answered 3/12, 2013 at 15:41 Comment(5)
BINGO!! I was having the same issue with Access Rights to users Thanks SupaHopeless
When every other services can be connected with default user, why there would be a separate need for SQS user?Egotism
BTW, what is the policy you attached? The following is not working and still shows 403.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sqs:*", "Resource": "*" } ] }Frumentaceous
In case you are facing this because of cloud formation. Try updating the permissions of sqs queue in my permission tab. Worked for meCastle
Hi, sometimes is not the real solution, in my case i have granted all required permissions but finally the problem was relation to the mapping template in the Integration Request and also the header content typeOverwork
G
15

Make sure that both the following policies allow access to the SQS queue

  1. Resource (SQS) based policy: The SQS queue should allow your identity to use the queue. You define this using the queue policy (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-sqs-policy). The default queue policy will allow access only to the owner of the queue (owner of the queue is the identity that created the queue).
  2. Identity based policies: The policy for the identity that is accessing the queue should have permission to invoke operations on the queue.

Make sure that the access is not restricted by either one of them.

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-identity-based-policies.html

Ginglymus answered 18/1, 2020 at 19:34 Comment(0)
G
2

I had the same strange issue, I had everything set up including policies and permission, after a couple of hrs I found out I was getting 403 error because of wrong aws region was configured in my application it was supposed to be ap-south-1 by default it was us-east-1

Griffiths answered 29/12, 2021 at 16:48 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.