Menu
There are many references to this error, but,
Below is the execution role created for lambda(AWS::Serverless::Function):
{
"permissionsBoundary": {
"permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
"permissionsBoundaryType": "Policy"
},
"roleName": “some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
},
"name": "AWSLambdaBasicExecutionRole",
"id": "ANDDDDDC42545SKXIK",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
],
"trustedEntities": [
"lambda.amazonaws.com"
]
}
where some-permission-boundary is
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111222333444:log-group:*"
],
"Effect": "Allow",
},
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow",
}
]
}
lambda performs below operation:
async function sendToQueue(message) {
const params = {
MessageBody: JSON.stringify(message),
QueueUrl: process.env.queueUrl
};
return new Promise((resolve, reject) =>
sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
);
}
that gives error:
"errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
"errorType": "AccessDenied",
We gave sqs:* actions to any queue across accounts in some-permission-boundary
Why lambda is not able to send message to queue?
556
Amazon Simple Notification Service (Amazon SNS) is a web service that makes it easy to set up, operate, and send notifications from the cloud.
SQS is a regional service, that is highly available within a single region. There is no cross-region replication capability.
A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.
An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
source: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
You do include sqs:* in your permission boundary, but you did not include any sqs related action in your lambda execution role's policy.
You should attach a policy with sqs permissions to your lambda execution role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow",
}
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
