Search code examples
amazon-web-servicesaws-lambdaamazon-sqsamazon-vpc

How to configure an AWS lambda trigger to use an SQS queue using an vpc endpoint

I am trying to configure an SQS queue trigger for a lambda function, mainly following this guide.

The lambda function role has the relevant permissions on the SQS queue (ReceiveMessage, DeleteMessage, GetQueueAttributes). The lambda function is inside a VPC.

On the other end, a VPC endpoint is configured (on the same VPC) to access the SQS queue (following the security best practices from AWS documentation), and a policy has been made to deny access if it is not from the vpc endpoint (similar to this policy)

The issue is that when I try to create the trigger, the following error is raised:

An error occurred when creating the trigger: The provided execution role does not have permissions to call ReceiveMessage on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: [...]; Proxy: null)

Am I missing something? Does anyone know if it is possible to use both the VPC endpoint denial policy and a lambda trigger?

Notes:

  • If I remove the VPC endpoint deny rule, then I can create the trigger, so my understanding is that the issue is linked somehow to the vpc endpoint.
  • If I don't create an SQS trigger, but try to access the SQS queue inside the lambda function code, it works correctly (through the VPC endpoint), so my understanding is that the issue is linked somehow to the trigger part (and it prove I believe that the security groups rules are allowing connection between the lambda security group and the vpc endpoint security group).
Solution

  • The AWS Lambda SQS trigger functionality relies on a background process that polls the SQS queue. This is an AWS managed process that you have no control over. This process runs somewhere outside of your VPC. The process continually polls your SQS queue, and upon receiving messages will invoke your Lambda function, passing it the SQS messages in the invocation payload. The invoked Lambda function may be configured to run inside your VPC, but that managed process that is polling the SQS queue is not configured to run inside your VPC and currently there is no way to change that.