Skip to content

SQS IAM Permissions incorrect for ARN listeners. #1364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
PatrickGotthard opened this issue Mar 27, 2025 · 5 comments
Open

SQS IAM Permissions incorrect for ARN listeners. #1364

PatrickGotthard opened this issue Mar 27, 2025 · 5 comments
Labels
component: sqs SQS integration related issue type: documentation Documentation or Samples related issue

Comments

@PatrickGotthard
Copy link
Contributor

PatrickGotthard commented Mar 27, 2025
edited
Loading

Type: Question

Component:
SQS IAM documentation

Describe the bug
According to the documentation To use SqsListener with Sqs name instead of ARN you will need sqs:GetQueueUrl

But I also had to grant this permission to be able to use @SqsListener("arn") or SQSTemplate.receiveMany("arn", Some.class).

Is the documentation incorrect and should be
To use the queue by its name or ARN instead of the URL you will need: sqs:GetQueueUrl
instead?
@PatrickGotthard PatrickGotthard changed the title Error in SQS IAM documentation? Bug in SQS IAM documentation? Mar 27, 2025
@tomazfernandes
Copy link
Contributor

Hi @PatrickGotthard, thanks for bringing this up.

You're correct, the only situation where we don't need this permission is if the user provides the URL directly.

Would you like to contribute a PR with this change?

@tomazfernandes tomazfernandes changed the title Bug in SQS IAM documentation? SQS IAM Permissions incorrect for ARN listeners. Apr 17, 2025
@tomazfernandes tomazfernandes added component: sqs SQS integration related issue type: bug Something isn't working type: documentation Documentation or Samples related issue and removed type: bug Something isn't working labels Apr 17, 2025
PatrickGotthard added a commit to PatrickGotthard/spring-cloud-aws that referenced this issue Apr 18, 2025
@PatrickGotthard
Fix documentation for sqs:GetQueueUrl action (awspring#1364)
e47e238
@PatrickGotthard PatrickGotthard mentioned this issue Apr 18, 2025
Merged
9 tasks
@PatrickGotthard
Copy link
Contributor Author

Sure #1372 👍

tomazfernandes pushed a commit that referenced this issue Apr 18, 2025
@PatrickGotthard
Fix documentation for sqs:GetQueueUrl action (#1364) (#1372)
5fa23bc
@PatrickGotthard
Copy link
Contributor Author

I just stumbled upon another "issue": do you know a use case where you only want to read the message but not delete (acknowledge) it?

@tomazfernandes
Copy link
Contributor

Hmm, yeah, I can think of such an use case.

For instance, you might want to read the message every e.g. 5 minutes until something happens.

But it might be useful to say explicitly that we need the delete permission to acknowledge messages.

What do you think?

@PatrickGotthard
Copy link
Contributor Author

But even then you want to acknowledge the message "when something happens" or not? Strange use case but yes, we should mention that the delete permission is required to acknowledge messages. I'll create a pull request asap.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: sqs SQS integration related issue type: documentation Documentation or Samples related issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PatrickGotthard @tomazfernandes