AddPermission - Amazon Simple Queue Service
Request SyntaxRequest ParametersResponse ElementsErrorsExamplesSee Also

AddPermission

Adds a permission to a queue for a specific principal. This allows sharing access to the queue.

When you create a queue, you have full control access rights for the queue. Only you, the owner of the queue, can grant or deny permissions to the queue. For more information about these permissions, see Allow Developers to Write Messages to a Shared Queue in the Amazon SQS Developer Guide.

Note

  • AddPermission generates a policy for you. You can use SetQueueAttributes to upload your policy. For more information, see Using Custom Policies with the Amazon SQS Access Policy Language in the Amazon SQS Developer Guide.

  • An Amazon SQS policy can have a maximum of seven actions per statement.

  • To remove the ability to change queue permissions, you must deny permission to the AddPermission, RemovePermission, and SetQueueAttributes actions in your IAM policy.

  • Amazon SQS AddPermission does not support adding a non-account principal.

Note

Cross-account permissions don't apply to this action. For more information, see Grant cross-account permissions to a role and a username in the Amazon SQS Developer Guide.

Request Syntax

{
   "Actions": [ "string" ],
   "AWSAccountIds": [ "string" ],
   "Label": "string",
   "QueueUrl": "string"
}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

Actions

The action the client wants to allow for the specified principal. Valid values: the name of any action or *.

For more information about these actions, see Overview of Managing Access Permissions to Your Amazon Simple Queue Service Resource in the Amazon SQS Developer Guide.

Specifying SendMessage, DeleteMessage, or ChangeMessageVisibility for ActionName.n also grants permissions for the corresponding batch versions of those actions: SendMessageBatch, DeleteMessageBatch, and ChangeMessageVisibilityBatch.

Type: Array of strings

Required: Yes

AWSAccountIds

The AWS account numbers of the principals who are to receive permission. For information about locating the AWS account identification, see Your AWS Identifiers in the Amazon SQS Developer Guide.

Type: Array of strings

Required: Yes

Label

The unique identification of the permission you're setting (for example, AliceSendMessage). Maximum 80 characters. Allowed characters include alphanumeric characters, hyphens (-), and underscores (_).

Type: String

Required: Yes

QueueUrl

The URL of the Amazon SQS queue to which permissions are added.

Queue URLs and names are case-sensitive.

Type: String

Required: Yes

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

Errors

For information about the errors that are common to all actions, see Common Errors.

InvalidAddress

The specified ID is invalid.

HTTP Status Code: 400

InvalidSecurity

The request was not made over HTTPS or did not use SigV4 for signing.

HTTP Status Code: 400

OverLimit

The specified action violates a limit. For example, ReceiveMessage returns this error if the maximum number of in flight messages is reached and AddPermission returns this error if the maximum number of permissions for the queue is reached.

HTTP Status Code: 400

QueueDoesNotExist

Ensure that the QueueUrl is correct and that the queue has not been deleted.

HTTP Status Code: 400

RequestThrottled

The request was denied due to request throttling.

  • Exceeds the permitted request rate for the queue or for the recipient of the request.

  • Ensure that the request rate is within the Amazon SQS limits for sending messages. For more information, see Amazon SQS quotas in the Amazon SQS Developer Guide.

HTTP Status Code: 400

UnsupportedOperation

Error code 400. Unsupported operation.

HTTP Status Code: 400

Examples

The following example query requests grant a SendMessage permission to the principal whose AWS account number is 177715257436 and a ReceiveMessage permission to the principal whose AWS account number is 111111111111. The structure of AUTHPARAMS depends on the signature of the API request. For more information, see Examples of Signed Signature Version 4 Requests in the AWS General Reference.

Example

Using AWS JSON protocol (Default)

Sample Request

POST / HTTP/1.1
Host: sqs.us-east-1.amazonaws.com
X-Amz-Target: AmazonSQS.AddPermission
X-Amz-Date: <Date>
Content-Type: application/x-amz-json-1.0
Authorization: <AuthParams>
Content-Length: <PayloadSizeBytes>
Connection: Keep-Alive 
{
    "QueueUrl": "https://sqs.us-east-1.amazonaws.com/177715257436/MyQueue/",
    "Label": "MyLabel",
    "Actions": ["SendMessage", "ReceiveMessage"],
    "AWSAccountIds": ["177715257436", "111111111111"]
}

Sample Response

HTTP/1.1 200 OK
x-amzn-RequestId: <requestId>
Content-Length: 0
Date: <Date>
Content-Type: application/x-amz-json-1.0

Example

Using AWS query protocol

Sample Request

POST /177715257436/MyQueue HTTP/1.1
Host: sqs.us-east-1.amazonaws.com
X-Amz-Date: <Date>
Content-Type: application/x-www-form-urlencoded
Authorization: <AuthParams>
Content-Length: <PayloadSizeBytes>
Connection: Keep-Alive 
Action=AddPermission
&Label=MyLabel
&AWSAccountId.1=177715257436
&ActionName.1=SendMessage
&AWSAccountId.2=111111111111
&ActionName.2=ReceiveMessage

Sample Response

HTTP/1.1 200 OK
<?xml version="1.0"?>
<AddPermissionResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/">
    <ResponseMetadata>
        <RequestId>b05e862e-c961-5213-bd8d-da5e6667b7d7</RequestId>
    </ResponseMetadata>
</AddPermissionResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: