We’d like to set up an AWS SQS Route, but our infrastructure has moved away from IAM keys and secrets for external access. Is it possible to get an AWS Account ID that we can use set fine-grained security rules that will only allow the Blues Notehub AWS account to send messages into our queue?
We will review this request.
We use AWS’ fine-grained security rules internally so we understand your desire.
We’ve reviewed this and we definitely want to do it. However, we are currently only using a single production AWS Account ID that we don’t want to reveal. We are discussing setting up a second account for Notehub’s routing but that raises quite a few issues which will take some time to address.
I don’t think we will be able to do this until Q2 2026 but we’ll keep your request in mind and post when it’s done.
Thank you for the smart suggestion.
1 Like
You can’t lock down SQS with a resource policy unless you have a dedicated AWS Account ID or role from Notehub. SQS only trusts accounts and roles, not “whoever has the access key.” If you don’t want to use IAM keys today, your only real choices are an intermediary (API Gateway, EventBridge, SNS) or STS assume-role if they ever add support for it. Otherwise, you’ll have to wait until they open a routing account for AWS SQS.