Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Lambda service throws error execution role does not have permissions to call receiveMessage on SQS

I have a SQS queue and I want to trigger a lambda function when a message arrives in the queue. I have written the lambda function and that works successfully when I click the "Test" button. When I go to SQS and try to configure it as a lambda trigger I see the error message below.

I have created the SQS queue and lambda function using the same user and role and the lambda function has execute permissions against the same role.

I also have also added SQS receiveMessage permission but it doesn't seem to make a difference unless I'm doing something wrong when I set it.

What could be causing the problem?

Thanks for any help

enter image description here

like image 447
user3165854 Avatar asked Apr 02 '19 10:04

user3165854


3 Answers

  • Hi as far as i can understand your lambda needs the following permission on it aws docs
  • Hope its not in a VPC.

aws_lambda_permission

  • Or may be give it a god mode on sqs:* just for testing it.

  • If that works maybe later on you can then go for specific methods only. Attached a policy for a lambda role you might have to change account_number to your account no if you need to invoke another lambda form this lambda

     {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "",
             "Effect": "Allow",
             "Action": "lambda:InvokeFunction",
             "Resource": "arn:aws:lambda:eu-west-2:account_number:function:*"
         },
         {
             "Sid": "",
             "Effect": "Allow",
             "Action": [
                 "logs:PutLogEvents",
                 "logs:CreateLogStream",
                 "logs:CreateLogGroup"
             ],
             "Resource": "*"
         },
         {
             "Sid": "",
             "Effect": "Allow",
             "Action": [
                 "sqs:*"
             ],
             "Resource": "*"
         }
     ]
    

    }

like image 148
amittn Avatar answered Oct 21 '22 02:10

amittn


Although solution for this may have been achieved by now.. but since this thread was suggested to me at the top.. i will post the answer for other users:

I faced same issue even after giving SQS full access to user. The problem is with the lambda execution role. When lambda is created, it needs to be assigned a lambda execution role. Most users assign the auto-generated execution role while creating lambda. That execution role does not have permissions for SQS.

So open lambda >> Click Permissions tab >> edit execution role at the top >> assign SQS permissions >> boom.

[edit]This is now under Configuration >> Permissions

permissions tab showing execution role

like image 16
Harsh Math Avatar answered Oct 21 '22 01:10

Harsh Math


You need following permissions attached to the role, your lambda assumes

  • sqs:ReceiveMessage
  • sqs:DeleteMessage
  • sqs:GetQueueAttributes

In case you are using Terraform:

data "aws_iam_policy_document" "YOUR_DOCUMENT" {
  statement {
    sid       = "some_id"
    actions   = [
      "sqs:ReceiveMessage",
      "sqs:DeleteMessage",
      "sqs:GetQueueAttributes"
    ]
    resources = [
      aws_sqs_queue.YOUR_QUEUE.arn
    ]
  }
}

resource "aws_iam_policy" "YOUR_POLICY" {
  name   = "your_policy"
  policy = data.aws_iam_policy_document.YOUR_DOCUMENT.json
}

resource "aws_iam_role_policy_attachment" "POLICY_ATTACHMENT" {
  role       = aws_iam_role.YOUR_LAMBDA_ROLE.name
  policy_arn = aws_iam_policy.YOUR_POLICY.arn
}

resource "aws_lambda_function" "YOUR_LAMBDA" {
  ....
  role = aws_iam_role.YOUR_LAMBDA_ROLE.arn
  ....
}
like image 8
30thh Avatar answered Oct 21 '22 02:10

30thh