Lambda service throws error execution role does not have permissions to call receiveMessage on SQS

Question

I have a SQS queue and I want to trigger a lambda function when a message arrives in the queue. I have written the lambda function and that works successfully when I click the "Test" button. When I go to SQS and try to configure it as a lambda trigger I see the error message below.

I have created the SQS queue and lambda function using the same user and role and the lambda function has execute permissions against the same role.

I also have also added SQS receiveMessage permission but it doesn't seem to make a difference unless I'm doing something wrong when I set it.

What could be causing the problem?

Thanks for any help

Answer 1

• Hi as far as i can understand your lambda needs the following permission on it aws docs
• Hope its not in a VPC.

• Or may be give it a god mode on sqs:* just for testing it.

• If that works maybe later on you can then go for specific methods only. Attached a policy for a lambda role you might have to change account_number to your account no if you need to invoke another lambda form this lambda

   {
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "",
           "Effect": "Allow",
           "Action": "lambda:InvokeFunction",
           "Resource": "arn:aws:lambda:eu-west-2:account_number:function:*"
       },
       {
           "Sid": "",
           "Effect": "Allow",
           "Action": [
               "logs:PutLogEvents",
               "logs:CreateLogStream",
               "logs:CreateLogGroup"
           ],
           "Resource": "*"
       },
       {
           "Sid": "",
           "Effect": "Allow",
           "Action": [
               "sqs:*"
           ],
           "Resource": "*"
       }
   ]
  

  }

Answer 2

Although solution for this may have been achieved by now.. but since this thread was suggested to me at the top.. i will post the answer for other users:

I faced same issue even after giving SQS full access to user. The problem is with the lambda execution role. When lambda is created, it needs to be assigned a lambda execution role. Most users assign the auto-generated execution role while creating lambda. That execution role does not have permissions for SQS.

So open lambda >> Click Permissions tab >> edit execution role at the top >> assign SQS permissions >> boom.

[edit]This is now under Configuration >> Permissions

Answer 3

You need following permissions attached to the role, your lambda assumes

• sqs:ReceiveMessage
• sqs:DeleteMessage
• sqs:GetQueueAttributes

In case you are using Terraform:

data "aws_iam_policy_document" "YOUR_DOCUMENT" {
  statement {
    sid       = "some_id"
    actions   = [
      "sqs:ReceiveMessage",
      "sqs:DeleteMessage",
      "sqs:GetQueueAttributes"
    ]
    resources = [
      aws_sqs_queue.YOUR_QUEUE.arn
    ]
  }
}

resource "aws_iam_policy" "YOUR_POLICY" {
  name   = "your_policy"
  policy = data.aws_iam_policy_document.YOUR_DOCUMENT.json
}

resource "aws_iam_role_policy_attachment" "POLICY_ATTACHMENT" {
  role       = aws_iam_role.YOUR_LAMBDA_ROLE.name
  policy_arn = aws_iam_policy.YOUR_POLICY.arn
}

resource "aws_lambda_function" "YOUR_LAMBDA" {
  ....
  role = aws_iam_role.YOUR_LAMBDA_ROLE.arn
  ....
}