I want to create a dynamic permission policy with attributes substitution that allows access to respective customer's queue (indicated as part of the SQS queue name)
For example: SQS queue name: individual-queue-${insert-attribute-by-customer-name}
I created an IAM role to grant access in sqs access policy with name: generic-sqs-access-role-dynamic-attributes
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-west-2:accountID:general-queue-abc",
"arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sqs:ListQueues",
"Resource": "*"
}
]
}
my sqs access policy:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountID:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
},
{
"Sid": "__sender_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountID:role/generic-sqs-access-role-dynamic-attributes" // the role with permission policy as stated above
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
},
{
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountID:role/generic-sqs-access-role-dynamic-attributes"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
"Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
}
]
}
But when I assumed the role and tested with cloud9, the dynamic policy doesn't work. Those that are able to assume the role generic-sqs-access-role-dynamic-attributes are able to access all the queues (both general and individual queues with customer names appended to them)
I expected the dynamic attributes in the IAM role policy would be able to restrict based on the queue name which will substitute the customer name
i.e. customer-a can access only arn:aws:sqs:eu-west-2:accountID:individual-queue-customer-a
customer-b can access only arn:aws:sqs:eu-west-2:accountID:individual-queue-customer-b
but they can't access each other's queue
I tried with conditions but not much luck.
What has gone wrong here? Is that my IAM policy issue or SQS access policy issue?
thanks
I got it work this way
2 different IAM policies splitting from the above IAM policy - 1 with resource of general queue only, 1 customer specific queue
In SQS access policy, I added in attribute substitution in the individual queue