Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied

Question

There are many references to this error, but,

Below is the execution role created for lambda(AWS::Serverless::Function):

{
  "permissionsBoundary": {
    "permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
    "permissionsBoundaryType": "Policy"
  },
  "roleName": “some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
  "policies": [
    {
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "logs:CreateLogGroup",
              "logs:CreateLogStream",
              "logs:PutLogEvents"
            ],
            "Resource": "*"
          }
        ]
      },
      "name": "AWSLambdaBasicExecutionRole",
      "id": "ANDDDDDC42545SKXIK",
      "type": "managed",
      "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
    }
  ],
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

---

where some-permission-boundary is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:111222333444:log-group:*"
            ],
            "Effect": "Allow",
        },
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}

---

lambda performs below operation:

async function sendToQueue(message) {
  const params = {
    MessageBody: JSON.stringify(message),
    QueueUrl: process.env.queueUrl
  };
  return new Promise((resolve, reject) =>
    sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
  );
}

---

that gives error:

"errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
    "errorType": "AccessDenied",

---

We gave sqs:* actions to any queue across accounts in some-permission-boundary

---

Why lambda is not able to send message to queue?

Answer 1

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.

An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

source: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

You do include sqs:* in your permission boundary, but you did not include any sqs related action in your lambda execution role's policy.

You should attach a policy with sqs permissions to your lambda execution role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}