There are many references to this error, but none of them seemed to match my question. Below is the execution role I created for my Lambda(AWS::Serverless::Function
):
{
"permissionsBoundary": {
"permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
"permissionsBoundaryType": "Policy"
},
"roleName": "some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
},
"name": "AWSLambdaBasicExecutionRole",
"id": "ANDDDDDC42545SKXIK",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
],
"trustedEntities": [
"lambda.amazonaws.com"
]
}
where some-permission-boundary
is
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111222333444:log-group:*"
],
"Effect": "Allow"
},
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow"
}
]
}
The source of the Lambda is below, which sends a message to the SQS queue.
async function sendToQueue(message) {
const params = {
MessageBody: JSON.stringify(message),
QueueUrl: process.env.queueUrl
};
return new Promise((resolve, reject) =>
sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
);
}
However, when I run the Lambda function, it gives me the following error:
"errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
"errorType": "AccessDenied",
We gave sqs:*
actions to any queue across accounts in some-permission-boundary
Why is lambda not able to send message to the queue?
A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.
An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
source: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
You do include sqs:* in your permission boundary, but you did not include any sqs related action in your lambda execution role's policy.
You should attach a policy with sqs permissions to your lambda execution role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow",
}
]
}