AWS SQS Introduction

Amazon Simple Queue Service (Amazon SQS) is a distributed queue messaging that supports programmatic sending of messages via web service applications as a way to communicate over the Internet. This post is about how to use this service.

Creating Admin Security group and User

It is a good security practice create an admin group and a user associated to this group. this user will be responsable for administrative task such as create or delete queues.

Creating Admins group

  aws iam create-group --group-name Admins

Setting admin access rule for Admin group

We must define a policy that contains a set of permissions and then assing that policy to a certain group, to create admin policiy first at all, we must create a file named admin-policy.json and paste the code below:

    {
      "Version": "2012-10-17",
      "Statement": [{
        "Effect": "Allow",
        "Action": ["*"],
        "Resource": ["*"]
      }]
    }

Now we can asign the policy definied in the json file to Admins group:

    aws iam put-group-policy --group-name Admins --policy-document file://AdminPolicy.json --policy-name AdminRoot

Creating Admin User

After create Admins group is good idea to create an admin user and associate this user to Admins group, is not recommended use AWS with your main aws access keys.

  aws iam create-user  --user-name mycloudadmin
  aws iam add-user-to-group --user-name mycloudadmin --group-name Admins

SQS and aws-cli

By typing aws sqs help We can see all options available for this service, We can create a queue with the command below:

    aws sqs create-queue --queue-name MyQueue --region us-west-2

We can verify the queue creation with the command aws sqs list-queues

Creating an User with limited access to the queue

First at all We need to create a group named webapp:

Setting admin access rule for webapp group

We want to give reading SQS access to webapp:

  aws iam create-group --group-name webapp

We will set up an access policy to allow webapp group read, put and delete messages from MyQueue, we will create a sqs-policy.json file:

{
   "Version":"2012-10-17",
   "Statement" : [
      {
         "Effect":"Allow",
         "Action":["SQS:SendMessage",
                   "SQS:ReceiveMessage", "SQS:DeleteMessage"],
         "Resource":"arn:aws:sqs:*:123456789012:MyQueue"
      }
   ]
}

You must change the resource arn according your own data ,the format is arn:aws:sqs:region:account_ID:queue_name

    aws iam put-group-policy --group-name webapp --policy-document file://sqs-policy.json --policy-name webappSQS

Creating the user

  aws iam create-user  --user-name myweb
  aws iam create-access-key --user-name myweb
  aws iam add-user-to-group --user-name myweb --group-name webapp

Sending a message to the queue

    aws sqs  send-message --queue-url https://us-west-2.queue.amazonaws.com/123456789012/MyQueue --message-body '{"msg": "hello world"}'

Reading a message from the queue

    aws sqs  receive-message --queue-url https://us-west-2.queue.amazonaws.com/123456789012/MyQueue --max-number-of-messages 10

References