AWS SQS permissions for AWS Lambda

Question

I'm using the AWS SQS service, and I'm having a hard time defining permissions on my SQS queue. In my setup I'm using the AWS Lambda service, which is triggered when an object is pushed onto an S3 bucket.

However to keep my question briefly, this is what I want to achieve:

1. Object is pushed to a S3 bucket
2. S3 bucket triggers AWS Lambda
3. Lambda does some calculations, and push an event to my SQS queue (Permission needs to be defined)
4. Application reads from SQS

As you can read from previous use-case, I want my AWS Lambda method to be the only application, which can send a message to the SQS queue. I've tried to set a principal and a condition "sourceArn". But none of them work..

Can anyone help?

Answer 1

I don't think the SourceArn field gets populated by Lambda. I know SourceArn works for SNS, but Lambda is really running arbitrary code, not an AWS feature like SNS.

As an alternative, you can attach a policy to the IAM Role your Lambda function runs as.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1440529349000",
            "Effect": "Allow",
            "Action": [
                "sqs:SendMessage"
            ],
            "Resource": [
                "arn:aws:sqs:us-west-2:123456789012:test-queue"
            ]
        }
    ]
}

This method does not require a policy directly attached to the queue.