Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied

Question

There are many references to this error, but none of them seemed to match my question. Below is the execution role I created for my Lambda(AWS::Serverless::Function):

{
    "permissionsBoundary": {
        "permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
        "permissionsBoundaryType": "Policy"
    },
    "roleName": "some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
    "policies": [
        {
            "document": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": [
                            "logs:CreateLogGroup",
                            "logs:CreateLogStream",
                            "logs:PutLogEvents"
                        ],
                        "Resource": "*"
                    }
                ]
            },
            "name": "AWSLambdaBasicExecutionRole",
            "id": "ANDDDDDC42545SKXIK",
            "type": "managed",
            "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
        }
    ],
    "trustedEntities": [
        "lambda.amazonaws.com"
    ]
}

where some-permission-boundary is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:111222333444:log-group:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow"
        }
    ]
}

The source of the Lambda is below, which sends a message to the SQS queue.

async function sendToQueue(message) {
    const params = {
        MessageBody: JSON.stringify(message),
        QueueUrl: process.env.queueUrl
    };
    return new Promise((resolve, reject) =>
        sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
    );
}

However, when I run the Lambda function, it gives me the following error:

    "errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
        "errorType": "AccessDenied",

---

We gave sqs:* actions to any queue across accounts in some-permission-boundary

---

Why is lambda not able to send message to the queue?

Answer 1

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.

An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

source: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

You do include sqs:* in your permission boundary, but you did not include any sqs related action in your lambda execution role's policy.

You should attach a policy with sqs permissions to your lambda execution role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}