Tarmac

Connecting to AWS

Credential modes, SSO, LocalStack, regions, and the IAM permissions Tarmac needs.

Credential Modes

Tarmac connects with one of three credential sources:

  1. AWS profile — reads ~/.aws/config and ~/.aws/credentials. All profiles are listed, including default. If a profile is SSO-based and the session has expired, Tarmac detects it and runs aws sso login --profile <name> for you, then retries — so an expired SSO session is a browser prompt, not a dead end.
  2. Environment variables — standard AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY (and session token). Set them before launching the app; Tarmac reads them at connection time.
  3. AWS-compatible endpoint — a custom endpoint URL plus static access key and secret. This is how you point Tarmac at LocalStack or any other SQS-compatible service. The LocalStack preset defaults to http://localhost:4566 with test/test credentials and enables S3 path-style addressing so external payload retrieval works locally too.

Connections must pass Test connection (a live ListQueues call) before the Save button appears. On success Tarmac shows the latency in milliseconds. Saved connections auto-connect on the next launch.

Identity and Regions

After connecting, Tarmac resolves who you are via STS GetCallerIdentity (plus the IAM account alias when available) and displays it in the top bar as account-name (account-id). Glance at it before doing anything destructive — it is your guard against "wrong account" mistakes.

The region is switchable from the top bar without re-entering credentials. Tarmac ships with 14 regions: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, sa-east-1, eu-west-1, eu-west-2, eu-west-3, eu-central-1, ap-southeast-1, ap-southeast-2, ap-northeast-1, ap-northeast-2. AWS-compatible endpoints accept a free-text region.

IAM Permissions

Follow least privilege: grant only what your workflow needs. As a reference, this is what each Tarmac feature calls:

FeatureSQS / other actions
Queue list & metadatasqs:ListQueues, sqs:GetQueueAttributes
Fetch & live tailsqs:ReceiveMessage
Staged deletessqs:DeleteMessage
Resend / Edit & Resendsqs:SendMessage
Redrivesqs:SendMessage + sqs:DeleteMessage, sqs:ListDeadLetterSourceQueues
S3 payload retrievals3:GetObject (Tarmac issues HeadObject + ranged GetObject)
Identity displaysts:GetCallerIdentity, iam:ListAccountAliases (optional)
Policy Reviewiam:List*/iam:Get* on your own identity's policies (optional)

A read-only inspection setup needs only the first two rows. You can operate Tarmac usefully with zero write permissions — fetch, search, and inspect all work; only publishing staged actions will fail.

Policy Review

Queue Tools ▸ Policy Review evaluates your current credentials against the selected queue. It checks foundation access (listing queues, reading attributes) and per-queue actions, shows the supporting evidence (your identity policies, the queue policy, the redrive policy), and produces a copyable suggested IAM policy snippet scoped to what's missing. Use it when a fetch or publish fails with an access error — it turns "AccessDenied" into a concrete policy diff.

Separate profiles for read and write

Keep a read-only profile for day-to-day inspection and a second, write-capable profile for redrive sessions. Switching profiles in Tarmac takes seconds, and it makes "I can't accidentally delete anything right now" a property of your credentials rather than your discipline.

On this page