4

I am trying to create SQS using AWS Java SDK. I do not have access-key and key-id, I go into AWS console with a link provided by my company. It is a role-based, SAML access (federated login). Whenever I try creating SQS from Java code, either I get 403 error (if I do not write any code for credentials), or I run into more errors if I try with code specified in AWS blogs for federated users.

I have tried following code but it does not work:

AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder
                    .standard()
                    .withCredentials(new DefaultAWSCredentialsProviderChain())
                    .withRegion(Regions.EU_WEST_1)
                    .build();

GetFederationTokenRequest getFederationTokenRequest = new GetFederationTokenRequest();
            getFederationTokenRequest.setDurationSeconds(7200);
            getFederationTokenRequest.setName("<username>@<company>.com");

// Define the policy and add it to the request.
            Policy policy = new Policy();
            policy.withStatements(new Statement(Statement.Effect.Allow)
                    .withActions(SQSActions.AllSQSActions)
                    .withResources(new Resource("arn:aws:sqs:::test-queue")));
            getFederationTokenRequest.setPolicy(policy.toJson());

// Get the temporary security credentials.
            GetFederationTokenResult federationTokenResult = stsClient.getFederationToken(getFederationTokenRequest);

Credentials sessionCredentials = federationTokenResult.getCredentials();

// Package the session credentials as a BasicSessionCredentials BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(
                    sessionCredentials.getAccessKeyId(),
                    sessionCredentials.getSecretAccessKey(),
                    sessionCredentials.getSessionToken());

AmazonSQSAsync amazonSQS = AmazonSQSAsyncClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(basicSessionCredentials))
                    .withRegion(Regions.EU_WEST_1)
                    .build();

CreateQueueRequest request = new CreateQueueRequest("wifi-test-queue");

String result = amazonSQS.createQueue(request).getQueueUrl();

The above code does not work unfortunately. I am sure that my account has permissions to create/access SQS because I am able to achieve similar things with Terraform.

Can someone please help me how to create a resource with such account?

Sumit Jindal
  • 363
  • 1
  • 7
  • 17
  • Hi! An important questions is if you want to run this code on the AWS platform. If you do you should use an execution role. Do you run the code on AWS later? If this is the case I would help you get it running. Greetings Dominik – DominikHelps Aug 17 '19 at 10:46
  • Unfortunately I could not get an answer/solution to this issue, so I changed my approach and put everything related to AWS resource creation to Terraform script instead, and just access the SQS from Java code using spring-cloud-messaging module. – Sumit Jindal Aug 20 '19 at 07:28
  • @SumitJindal, what did set in your AWS provider? IAM role ARN or access keys? – Abdullah Khawer Aug 21 '19 at 08:33
  • @slashdottir does the altered IAM role work for you? – mewa Aug 22 '19 at 12:19
  • I am not actively working on this right now, and as I mentioned I created the resources using a terraform script and accessed them using my Java code. – Sumit Jindal Aug 23 '19 at 09:36

1 Answers1

0

You need to include wildcards for AWS region and account number

new Resource("arn:aws:sqs:*:*:test-queue")

You can test an equivalent IAM policy using IAM simulator

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sqs:CreateQueue",
            "Resource": "arn:aws:sqs:*:*:test-queue"
        }
    ]
}
mewa
  • 1,532
  • 1
  • 12
  • 20