or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

batch-operations.mdclient-configuration.mddead-letter-queues.mdindex.mdmessage-move-tasks.mdmessage-operations.mdqueue-attributes-tags.mdqueue-management.mdqueue-permissions.md
tile.json

queue-permissions.mddocs/

Queue Permissions

Access control management for SQS queues including adding and removing permissions for cross-account access and service integration.

Capabilities

Add Permission

Grants permissions to AWS accounts or services to perform specific actions on a queue.

class AddPermissionCommand {
  constructor(input: AddPermissionCommandInput);
}

interface AddPermissionCommandInput {
  /** URL of the queue to modify */
  QueueUrl: string;
  /** Unique label for this permission (up to 80 characters) */
  Label: string;
  /** AWS account IDs to grant permissions to */
  AWSAccountIds: string[];
  /** Actions to allow (e.g., 'SendMessage', 'ReceiveMessage', '*') */
  Actions: string[];
}

Usage Examples:

import { SQSClient, AddPermissionCommand } from "@aws-sdk/client-sqs";

const client = new SQSClient({ region: "us-east-1" });

// Grant send permission to another account
await client.send(new AddPermissionCommand({
  QueueUrl: "https://sqs.us-east-1.amazonaws.com/123456789012/MyQueue",
  Label: "AllowCrossAccountSend",
  AWSAccountIds: ["111122223333"],
  Actions: ["SendMessage"]
}));

// Grant multiple permissions
await client.send(new AddPermissionCommand({
  QueueUrl: "https://sqs.us-east-1.amazonaws.com/123456789012/MyQueue", 
  Label: "AllowServiceAccess",
  AWSAccountIds: ["444455556666"],
  Actions: ["SendMessage", "ReceiveMessage", "DeleteMessage"]
}));

// Grant all permissions (use with caution)
await client.send(new AddPermissionCommand({
  QueueUrl: "https://sqs.us-east-1.amazonaws.com/123456789012/MyQueue",
  Label: "AllowFullAccess",
  AWSAccountIds: ["777788889999"],
  Actions: ["*"]
}));

Remove Permission

Removes a permission policy from a queue by its label.

class RemovePermissionCommand {
  constructor(input: RemovePermissionCommandInput);
}

interface RemovePermissionCommandInput {
  /** URL of the queue to modify */
  QueueUrl: string;
  /** Label of the permission to remove */
  Label: string;
}

Usage Examples:

// Remove specific permission
await client.send(new RemovePermissionCommand({
  QueueUrl: "https://sqs.us-east-1.amazonaws.com/123456789012/MyQueue",
  Label: "AllowCrossAccountSend"
}));

// Clean up expired permissions
const permissionsToRemove = ["TempAccess1", "TempAccess2"];
for (const label of permissionsToRemove) {
  await client.send(new RemovePermissionCommand({
    QueueUrl: queueUrl,
    Label: label
  }));
}

Permission Actions

Available actions for SQS permissions:

  • SendMessage - Send messages to the queue
  • ReceiveMessage - Receive messages from the queue
  • DeleteMessage - Delete messages from the queue
  • ChangeMessageVisibility - Change message visibility timeout
  • GetQueueAttributes - Retrieve queue attributes
  • GetQueueUrl - Get queue URL by name
  • * - All actions (use with extreme caution)

Advanced Permission Management

Service-to-Service Permissions

// Allow SNS service to send messages to SQS
await client.send(new AddPermissionCommand({
  QueueUrl: queueUrl,
  Label: "AllowSNSPublish",
  AWSAccountIds: ["123456789012"], // Your account ID
  Actions: ["SendMessage"]
}));

// Additional policy may be needed for SNS topic subscription
const snsPolicy = {
  Version: "2012-10-17",
  Statement: [{
    Effect: "Allow",
    Principal: {
      Service: "sns.amazonaws.com"
    },
    Action: "sqs:SendMessage",
    Resource: "arn:aws:sqs:us-east-1:123456789012:MyQueue",
    Condition: {
      ArnEquals: {
        "aws:SourceArn": "arn:aws:sns:us-east-1:123456789012:MyTopic"
      }
    }
  }]
};

Cross-Account Access Patterns

// Producer account grants send permissions
await client.send(new AddPermissionCommand({
  QueueUrl: "https://sqs.us-east-1.amazonaws.com/123456789012/SharedQueue",
  Label: "AllowConsumerAccountReceive", 
  AWSAccountIds: ["999888777666"], // Consumer account
  Actions: ["ReceiveMessage", "DeleteMessage", "ChangeMessageVisibility"]
}));

// Consumer can now access the queue from their account
const consumerClient = new SQSClient({
  region: "us-east-1",
  credentials: consumerAccountCredentials
});

const messages = await consumerClient.send(new ReceiveMessageCommand({
  QueueUrl: "https://sqs.us-east-1.amazonaws.com/123456789012/SharedQueue"
}));

Error Handling

Common permission-related errors:

  • InvalidAddress - Invalid AWS account ID format
  • OverLimit - Maximum number of permissions exceeded (20 per queue)
  • QueueDoesNotExist - Queue URL incorrect or queue deleted
  • UnsupportedOperation - Operation not supported for this queue type
try {
  await client.send(new AddPermissionCommand({
    QueueUrl: queueUrl,
    Label: "TestPermission",
    AWSAccountIds: ["invalid-account-id"],
    Actions: ["SendMessage"]
  }));
} catch (error) {
  if (error.name === 'InvalidAddress') {
    console.error("Invalid AWS account ID format");
  } else if (error.name === 'OverLimit') {
    console.error("Too many permissions on this queue");
  }
}