spring-cloud-aws icon indicating copy to clipboard operation
spring-cloud-aws copied to clipboard
verified publisher icon awspring

SQS IAM Permissions incorrect for ARN listeners.

Open PatrickGotthard opened this issue 9 months ago • 5 comments

Type: Question

Component: SQS IAM documentation

Describe the bug According to the documentation To use SqsListener with Sqs name instead of ARN you will need sqs:GetQueueUrl

But I also had to grant this permission to be able to use @SqsListener("arn") or SQSTemplate.receiveMany("arn", Some.class).

Is the documentation incorrect and should be To use the queue by its name or ARN instead of the URL you will need: sqs:GetQueueUrl instead?

PatrickGotthard avatar Mar 27 '25 14:03 PatrickGotthard

Hi @PatrickGotthard, thanks for bringing this up.

You're correct, the only situation where we don't need this permission is if the user provides the URL directly.

Would you like to contribute a PR with this change?

tomazfernandes avatar Apr 17 '25 22:04 tomazfernandes

Sure https://github.com/awspring/spring-cloud-aws/pull/1372 👍

PatrickGotthard avatar Apr 18 '25 08:04 PatrickGotthard

I just stumbled upon another "issue": do you know a use case where you only want to read the message but not delete (acknowledge) it?

PatrickGotthard avatar Apr 18 '25 15:04 PatrickGotthard

Hmm, yeah, I can think of such an use case.

For instance, you might want to read the message every e.g. 5 minutes until something happens.

But it might be useful to say explicitly that we need the delete permission to acknowledge messages.

What do you think?

tomazfernandes avatar Apr 18 '25 15:04 tomazfernandes

But even then you want to acknowledge the message "when something happens" or not? Strange use case but yes, we should mention that the delete permission is required to acknowledge messages. I'll create a pull request asap.

PatrickGotthard avatar Apr 18 '25 17:04 PatrickGotthard