Amazon ElasticBeanStalk Worker Tier cannot connect to SQS

6
votes

Currently I'm having issues to allow my worker to connect to SQS. Here is the log: 

2014-07-21T21:37:26Z error: AWS::SQS::Errors::AccessDenied: Access to the resource https://sqs.eu-west-1.amazonaws.com/343152361204/dev-compose-request is denied.

dev-compose-request is the name of the Queue.

I am able to post messages from my other ElasticBeanStalk WebApp (server-tier) into this Queue.

My Worker Tier is in a security-group which allows any outbound connection.

1
amazon-web-servicesamazon-elastic-beanstalk
Oddly enough, a plain vanilla Worker-Tier with a sample Queue also get these access denied errors.Pepster
I am seeing the same behavior.YWCA Hello

1 Answers

10
votes

Sounds similar to: AWS Beanstalk Worker can't start SQS daemon aws-sqsd

http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.roles.aeb.html#AWSHowTo.iam.policies.actions.worker

Can you make sure the IAM Instance profile associated with your environment (may be named aws-elasticbeanstalk-ec2-role but could be named something else as well) has all permissions listed in the link above? (Copied below for reference)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "QueueAccess",
      "Action": [
        "sqs:ChangeMessageVisibility",
        "sqs:DeleteMessage",
        "sqs:ReceiveMessage"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "MetricsAccess",
      "Action": [
        "cloudwatch:PutMetricData"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}