Connecting to AWS
Credential modes, SSO, LocalStack, regions, and the IAM permissions Tarmac needs.
Credential Modes
Tarmac connects with one of three credential sources:
- AWS profile — reads
~/.aws/configand~/.aws/credentials. All profiles are listed, includingdefault. If a profile is SSO-based and the session has expired, Tarmac detects it and runsaws sso login --profile <name>for you, then retries — so an expired SSO session is a browser prompt, not a dead end. - Environment variables — standard
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY(and session token). Set them before launching the app; Tarmac reads them at connection time. - AWS-compatible endpoint — a custom endpoint URL plus static access key and secret. This is how you point Tarmac at LocalStack or any other SQS-compatible service. The LocalStack preset defaults to
http://localhost:4566withtest/testcredentials and enables S3 path-style addressing so external payload retrieval works locally too.
Connections must pass Test connection (a live ListQueues call) before the Save button appears. On success Tarmac shows the latency in milliseconds. Saved connections auto-connect on the next launch.
Identity and Regions
After connecting, Tarmac resolves who you are via STS GetCallerIdentity (plus the IAM account alias when available) and displays it in the top bar as account-name (account-id). Glance at it before doing anything destructive — it is your guard against "wrong account" mistakes.
The region is switchable from the top bar without re-entering credentials. Tarmac ships with 14 regions: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, sa-east-1, eu-west-1, eu-west-2, eu-west-3, eu-central-1, ap-southeast-1, ap-southeast-2, ap-northeast-1, ap-northeast-2. AWS-compatible endpoints accept a free-text region.
IAM Permissions
Follow least privilege: grant only what your workflow needs. As a reference, this is what each Tarmac feature calls:
| Feature | SQS / other actions |
|---|---|
| Queue list & metadata | sqs:ListQueues, sqs:GetQueueAttributes |
| Fetch & live tail | sqs:ReceiveMessage |
| Staged deletes | sqs:DeleteMessage |
| Resend / Edit & Resend | sqs:SendMessage |
| Redrive | sqs:SendMessage + sqs:DeleteMessage, sqs:ListDeadLetterSourceQueues |
| S3 payload retrieval | s3:GetObject (Tarmac issues HeadObject + ranged GetObject) |
| Identity display | sts:GetCallerIdentity, iam:ListAccountAliases (optional) |
| Policy Review | iam:List*/iam:Get* on your own identity's policies (optional) |
A read-only inspection setup needs only the first two rows. You can operate Tarmac usefully with zero write permissions — fetch, search, and inspect all work; only publishing staged actions will fail.
Policy Review
Queue Tools ▸ Policy Review evaluates your current credentials against the selected queue. It checks foundation access (listing queues, reading attributes) and per-queue actions, shows the supporting evidence (your identity policies, the queue policy, the redrive policy), and produces a copyable suggested IAM policy snippet scoped to what's missing. Use it when a fetch or publish fails with an access error — it turns "AccessDenied" into a concrete policy diff.
Separate profiles for read and write
Keep a read-only profile for day-to-day inspection and a second, write-capable profile for redrive sessions. Switching profiles in Tarmac takes seconds, and it makes "I can't accidentally delete anything right now" a property of your credentials rather than your discipline.