Skip to content

Missing Required IAM Permission in Documentation: sqs:ChangeMessageVisibilityΒ #554

New issue
New issue
Open
Bug
Open
Missing Required IAM Permission in Documentation: sqs:ChangeMessageVisibility#554
Bug
Labels
bugSomething isn't working
@miekassu

Description

@miekassu
miekassu
opened on Nov 5, 2025

Issue

The AWS SQS documentation at docs/pages/guides/publish-from-sqs.mdx is missing a required IAM permission: sqs:ChangeMessageVisibility

Currently documented (lines 72-78):

- sqs:DeleteMessage
- sqs:GetQueueUrl
- sqs:ReceiveMessage

Why It's Required

When msg.Nack() is called (on message processing errors), GoCloud's SQS driver internally calls ChangeMessageVisibilityBatch to requeue the message for immediate retry.

Without this permission, the service fails and stops processing messages.

Error Experienced

{
  "level": "error",
  "caller": "api/api.go:253",
  "msg": "error running publishmq consumer",
  "error": "operation error SQS: ChangeMessageVisibilityBatch, https response error StatusCode: 403, api error AccessDenied: User: arn:aws:iam::<ACCOUNT>:user/<USER> is not authorized to perform: sqs:changemessagevisibility on resource: arn:aws:sqs:<REGION>:<ACCOUNT>:<QUEUE> because no identity-based policy allows the sqs:changemessagevisibility action"
}

Suggested Fix

Update documentation to include all four required permissions:

- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueUrl
- sqs:ChangeMessageVisibility

This applies to all SQS queues consumed by Outpost (Delivery, Log, and Publish queues).

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    Bug

    Projects

    Outpost Releases

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions