AWS IAM policy for SQS

Question

I am trying to add a policy to an existing iam user that can already perform crud on two s3 buckets here is the currently working policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "devcontrol",
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:Put*",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::blahimages/*",
        "arn:aws:s3:::blahvideos/*"
      ]
    }
  ]
}

An example policy from the documents for sqs is this

{
   "Version": "2012-10-17",
   "Statement":[{
      "Effect":"Allow",
      "Action":"sqs:*",
      "Resource":"arn:aws:sqs:*:123456789012:bob_queue*"
      }
   ]
}

So I tried this

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "devcontrol",
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:Put*",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
       ],
       "Resource": [
         "arn:aws:s3:::blahimages/*",
         "arn:aws:s3:::blahvideos/*"
        ]
     },
     {
       "Effect":"Allow",
       "Action":"sqs:*",
       "Resource":"arn:aws:sqs:*:myarn"
      }
    ]
  }

I did not get any parse errors but the simulator was still returning denied for the sqs queue

Also really I just want this user to be able to add messages to the queue, receive them and delete them whereas the above policy would add all actions I believe

Answer 1

Your SQS ARN is invalid : "arn:aws:sqs:*:myarn".

You should use arn:aws:sqs:<region name>:<account id>:<queue name> instead. (you're missing the <account id>).

The region name might be replaced by a * if you want your policy to be valid in multiple regions. But the account id is mandatory as Queue names are unique within an AWS Master Account and Region only.

See http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html for example of valid SQS policies.