Update: It looks as if the actual answer is the CLI tool simply offers limited functionality when it comes to permissions unless you want to write your own policy document, but the first part of my answer was incorrect:
As I understand it, SQS permissions don't "deny" -- they only "allow", but the "allow" can be subject to conditions you can add in the console or via the API to associate other "but only if" tests with the permission such as date ranges and IP address ranges.
It looks like the design of the CLI is such that conditions [add: and policies with "Effect = Deny"] aren't handled by add-permission
, which only supports simple grants... to attach conditions, you have to generate a policy document, which you can attach with set-queue-attributes
.
add-permission
writes an SQS-generated policy. If you want to write your own policy, useset-queue-attributes
to upload your policy.