SQS queues can only be accessed by IAM principals within the same AWS account by default.
Here’s how you can grant access to an SQS queue in one AWS account (the "resource account") to an IAM principal in another AWS account (the "requester account"). This is a common pattern for decoupling services running in different AWS environments.
Let’s say:
- Resource Account: Account ID
111122223333, owns the SQS queuemy-cross-account-queue. - Requester Account: Account ID
444455556666, has an IAM user or rolearn:aws:iam::444455556666:user/RequesterUserthat needs to access the queue.
1. Granting Permissions in the Resource Account (Account 111122223333)
This is the core of cross-account access. You need to modify the SQS queue’s access policy to explicitly allow principals from the requester account.
The Access Policy:
This is a JSON document attached directly to the SQS queue. It defines who can perform what actions on this specific queue.
{
"Version": "2012-10-17",
"Id": "QueuePolicy-CrossAccountAccess",
"Statement": [
{
"Sid": "AllowCrossAccountSendReceiveDelete",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::444455556666:user/RequesterUser"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:us-east-1:111122223333:my-cross-account-queue"
}
]
}
Explanation:
"Effect": "Allow": This explicitly grants permission."Principal": { "AWS": "arn:aws:iam::444455556666:user/RequesterUser" }: This is the key part. It specifies the exact IAM principal (user or role) from the requester account that is allowed to perform the actions. You can also specify an entire account ID ("AWS": "111122223333") if you want to allow any principal from that account, but it’s generally more secure to be specific."Action": [...]: These are the SQS API actions that the principal is allowed to perform. Common actions includeSendMessage,ReceiveMessage, andDeleteMessage.GetQueueAttributesis often needed to inspect queue properties."Resource": "arn:aws:sqs:us-east-1:111122223333:my-cross-account-queue": This specifies the SQS queue ARN that these permissions apply to.
How to Apply the Policy:
You can do this via the AWS Management Console, AWS CLI, or SDKs.
AWS Console:
- Navigate to the SQS console in the resource account (
111122223333). - Select your queue
my-cross-account-queue. - Go to the "Access policy" tab.
- Click "Edit".
- Paste the JSON policy above into the editor.
- Click "Save".
AWS CLI: First, retrieve the existing policy (if any) to avoid overwriting it:
aws sqs get-queue-attributes \
--queue-url https://sqs.us-east-1.amazonaws.com/111122223333/my-cross-account-queue \
--attribute-names QueueArn \
--query 'Attributes.QueueArn' \
--output text > queue_arn.txt
QUEUE_ARN=$(cat queue_arn.txt)
# Construct the policy (replace placeholder ARN if needed)
POLICY='{
"Version": "2012-10-17",
"Id": "QueuePolicy-CrossAccountAccess",
"Statement": [
{
"Sid": "AllowCrossAccountSendReceiveDelete",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::444455556666:user/RequesterUser"
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": "'"$QUEUE_ARN"'"
}
]
}'
aws sqs set-queue-attributes \
--queue-url https://sqs.us-east-1.amazonaws.com/111122223333/my-cross-account-queue \
--attributes Policy="$POLICY"
Note: The get-queue-attributes command above is primarily to fetch the QueueArn. You’ll need to manually construct the POLICY JSON string as shown, ensuring the Resource ARN matches your queue.
2. Granting Permissions in the Requester Account (Account 444455556666)
The IAM principal in the requester account also needs permissions to call the SQS API actions, but these permissions should not specify the cross-account queue ARN directly. Instead, they should allow calling SQS actions on any resource or on resources in the target account.
IAM Policy Example (for RequesterUser):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToSpecificCrossAccountQueue",
"Effect": "Allow",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:us-east-1:111122223333:my-cross-account-queue"
}
]
}
Explanation:
"Resource": "arn:aws:sqs:us-east-1:111122223333:my-cross-account-queue": This IAM policy explicitly grants permission to interact with the specific SQS queue in the other account.
Alternative (More Permissive):
If the requester needs to send messages to multiple queues in the resource account, or to queues in multiple resource accounts, you might use a broader Resource statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSQSAccessToTargetAccount",
"Effect": "Allow",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:us-east-1:111122223333:*" // Allows access to all queues in account 111122223333
}
]
}
Or even more broadly, allowing access to queues in any account (use with extreme caution):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSQSAccessGlobally",
"Effect": "Allow",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": "*" // Allows access to any SQS queue
}
]
}
Best Practice: Always use the most specific Resource ARN possible.
How to Apply the Policy:
This policy is attached to the IAM user or role (RequesterUser) in the requester account (444455556666).
AWS Console:
- Navigate to the IAM console in the requester account (
444455556666). - Go to "Users" and select
RequesterUser, or go to "Roles" and select the relevant role. - Go to the "Permissions" tab.
- Click "Add permissions" -> "Create inline policy" (or "Attach policies directly" if you’re managing customer-managed policies).
- Select "JSON" and paste the policy above.
- Click "Review policy" and then "Create policy".
AWS CLI:
aws iam put-user-policy \
--user-name RequesterUser \
--policy-name CrossAccountSQSAccess \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToSpecificCrossAccountQueue",
"Effect": "Allow",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:us-east-1:111122223333:my-cross-account-queue"
}
]
}'
(Replace put-user-policy with put-role-policy if you’re attaching to a role).
Testing
From the requester account (444455556666), using the RequesterUser (or a role that RequesterUser assumes):
# Send a message
aws sqs send-message \
--queue-url https://sqs.us-east-1.amazonaws.com/111122223333/my-cross-account-queue \
--message-body "Hello from requester account!"
# Receive a message
aws sqs receive-message \
--queue-url https://sqs.us-east-1.amazonaws.com/111122223333/my-cross-account-queue
# Delete the message (using the receipt handle from receive-message)
aws sqs delete-message \
--queue-url https://sqs.us-east-1.amazonaws.com/111122223333/my-cross-account-queue \
--receipt-handle <receipt-handle-from-receive-message>
If you encounter AccessDenied errors, double-check both the SQS queue’s access policy (resource account) and the IAM principal’s policy (requester account) for typos, incorrect ARNs, or missing permissions.
The next error you’ll hit is likely a throttling error if you’re making too many requests too quickly, or a QueueDeleted error if the queue is removed.