I have a website that writes messages from the client side to an Amazon SQS Queue. Everybody is allowed to write to the queue. We have a server-side process that reads the queue messages and processes them.
The Queue is configured with write access to everybody, here is its policy:
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:.../SQSDefaultPolicy",
"Statement": [{
"Sid": "Sid1537097246229",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:..."
}]
}
However, we can't seem to be able to write to the queue without an access key and secret key. The AWS SDK returns an error saying that credentials have not been provided. We're using the code as described in the AWS SQS documentation.
I have a website that writes messages from the client side to an Amazon SQS Queue. Everybody is allowed to write to the queue. We have a server-side process that reads the queue messages and processes them.
The Queue is configured with write access to everybody, here is its policy:
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:.../SQSDefaultPolicy",
"Statement": [{
"Sid": "Sid1537097246229",
"Effect": "Allow",
"Principal": "*",
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:..."
}]
}
However, we can't seem to be able to write to the queue without an access key and secret key. The AWS SDK returns an error saying that credentials have not been provided. We're using the code as described in the AWS SQS documentation.
Share Improve this question asked Sep 16, 2018 at 12:26 zmbqzmbq 39.1k15 gold badges106 silver badges186 bronze badges2 Answers
Reset to default 5I would not remend allowing unauthenticated access to an SQS queue, but if you have to do this then you should be able to make unauthenticated requests through the JavaScript SDK as follows:
const AWS = require('aws-sdk');
AWS.config.update({ region: 'us-east-1' });
const sqs = new AWS.SQS({ apiVersion: '2012-11-05' });
const params = {
DelaySeconds: 10,
MessageAttributes: {
Title: {
DataType: 'String',
StringValue: 'The Whistler',
},
Author: {
DataType: 'String',
StringValue: 'John Grisham',
},
},
MessageBody: 'NY Times fiction bestseller 12/11/2016.',
QueueUrl: 'QUEUE_URL_HERE',
};
sqs.makeUnauthenticatedRequest('sendMessage', params, (err, data) => {
if (err) {
console.log('Error', err);
} else {
console.log('Success', data.MessageId);
}
});
Your default policy with "Principal": "*" still requires that the sender provide some AWS principal. As stated in the Prerequisites of the document you provided:
Create a shared configurations file with your user credentials. For more information about providing a shared credentials file, see Loading Credentials in Node.js from the Shared Credentials File.
Have you considered using API Gateway as a proxy to your SQS queue? One example of doing so is defined at https://dzone./articles/creating-aws-service-proxy-for-amazon-sqs . I would remend setting up a proxy to the SQS and having a POST endpoint such as
POST::/myQueueName/messages
That will change how your users interact with the queue, but it allows you to lock down the queue to only a service user for reading and writing, which follows the least-privilege policy. Then your API Gateway endpoint can be protected with an API key, left wide-open to the internet, or even protected with IAM roles, based on your preferences.