I'm writing a Lambda function (in Java) that should add a message to the SQS.
Lambda has permissions to access any SQS (AmazonSQSFullAccess):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
My code is using a standard SQS client: private final AmazonSQS sqs = AmazonSQSClientBuilder.standard().withRegion(Regions.EU_NORTH_1).build();
The problem is lambda never ends (timeouts) when trying to get list of queues or send a message:
ListQueuesResult result = sqs.listQueues();
SendMessageRequest sendMsgRequest = new SendMessageRequest()
.withQueueUrl(queueUrl)
.withMessageBody(assetBody)
.withDelaySeconds(0);
sqs.sendMessage(sendMsgRequest);
My question is whether I should provide credentials when instantiating the sqs client (lambda is scripted with terraform, so it's not easy/nice to do it) or I'm doing wrong something else?
Lambda timeout is set to 30s now.
thanks, Chris
If there was a permission issue, you would be able to get an error like access denied or unauthorized. This looks like the function is not able to communicate to sqs at all (network timeout).
All lambda functions outside a vpc should be able to access any resource on the internet. That being said it looks like the lambda function here is inside a VPC.
When a lambda function is inside a VPC and it wants to access intenet (in this case a sqs) the lambda function should be in a private subnet of the VPC. With the default route of that subnet pointing to a NAT gateway in a public subnet of that VPC.
https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/
Other than this check the security group linked with lambda function it should have a outbound rule to allow all traffic coming from all ports. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#adding-security-group-rule