Connecting to Shared SQS Queue using boto

3
votes

I've run into a particularly vexing problem. I can easily connect to a native (one owned by my AWS account credentials) SQS queue using the boto SQS module. However, it appears AWS offers the ability to allow connection to non-native (owned by another AWS account) SQS queues using permissions. This is probably better described as a shared queue.

Is there a way to use boto to connect to a shared queue? I can't seem to find any methods or references in the boto code or documentation for performing such an operation.

1
pythonamazon-web-servicespython-2.7botoamazon-sqs
It's not clear to me what you are trying to do. Are you trying to grant access to a specific AWS user? Or are you trying to grant anonymous access? Both are possible and both involve the use of a JSON policy file associated with the queue. See docs.aws.amazon.com/AWSSimpleQueueService/latest/… for more details. - garnaat
I have granted access to allow another AWS account to write messages to my account's queue. However, when I try to connect to my queue using another account I don't see a way to specify the queue belongs to a different account (my account versus the one connecting). When boto connects it simply creates the queue under the connecting account instead of using the queue already available in my account. - PlaidFan
To clarify. AWS Account A has a queue called my_queue. AWS Account B has no queues at all. AWS Account B has been granted permission to write to my_queue. However, when connecting via boto, my_queue is created under AWS Account B since there does not appear to be a way of telling boto at connect time that it should connect to AWS Account A's my_queue rather than its own my_queue. - PlaidFan
Does manually constructing boto.sqs.queue.Queue(boto.sqs.connection.SQSConnection('Account B Access Key', 'Account B Secret Key'), url='Account A my_queue URL') not work then? - Tomasz Łazarowicz

1 Answers

-1
votes

I'm under the impression that what you need is Identity and Access Management (IAM).

The other AWS account can create an IAM user, with the selection to also create an access key for it. That provides a pair of access key and secret access key, not unlike the ones for the regular AWS account you normally access the API with. Now you could customize the exact permissions for this IAM user.

It's my expectation that when this new IAM user's access key and secret access key are provided to boto in a regular fashion (to aws_access_key_id and aws_secret_access_key), they should work as expected.