SQS Queue with Cross-Account Lambda Trigger

Question

I'm trying to setup an SQS Queue with a Lambda Trigger that uses a function in another AWS Account.

I'm not sure why I'm getting this error when I setup the lambda trigger:

I suspect it's due to the following:

1. The role I'm using (accessing and modifying resource via the console) isn't allowed to setup the Lambda trigger. That feels odd to me, but maybe.
2. Either the SQS Permissions Policy or Lambda Execution role is missing the permissions needed for this.

For more info here are those policies:

SQS Permission Policy:

{
  "Version": "2008-10-17",
  "Id": "arn:aws:sqs:eu-west-1:111111111111:crossaccount-sqs/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "AllowedSQSPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::2222222222:role/service-role/test-print-role-vb8smvxi"
      },
      "Action": [
        "SQS:ReceiveMessage",
        "SQS:DeleteMessage",
        "SQS:GetQueueAttributes"
      ],
      "Resource": "arn:aws:sqs:eu-west-1:111111111111:sqs-lambda-demo"
    }
  ]
}

Lambda Execution Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:ChangeMessageVisibility",
                "sqs:ReceiveMessage",
                "sqs:GetQueueAttributes",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:sqs:eu-west-1:111111111111:sqs-lambda-demo",
                "arn:aws:logs:eu-west-1:2222222222:*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:eu-west-1:2222222222:log-group:/aws/lambda/test-print:*"
        },
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateEventSourceMapping"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Answer 1

The solution in case anyone is after it...

The issue is not the policies. The policies are fine. The issue is the location trying to do it. Lambda Triggers are weird within AWS. Despite being something you can setup in other locations, the trigger is an extension of the Lambda API, under EventSourceMapping. More than that the trigger is an extension of the Lambda object, not the SQS queue. You can setup triggers at the Lambda as well as other locations. Here's what I think is happening:

Account A = Hosts Lambda Account B = Hosts SQS

Account A Lambda Execution Role is setup to allow the lambda to access the Account B SQS Queue.

The Account B SQS Queue is setup to allow the Account A Lambda Execution Role to allow the Lambda access. My Admin Role in Account B tries to create an EventSourceMapping config that uses my SQS Queue and the Account A Lambda. Because there is nothing establishing my role access to another accounts resources the error occurs. SQS don't have roles, they have resource based policies. They can only enable things with their resource, but they can't enable things with other resources. My role is being checked and within Account B it's admin, but not in Account A. So we get the permission issue.

The solution:

Account A, use the admin role in this account to create the EventSourceMapping config that enables my lambda to use Account B SQS as the source (Go to the lambda in the console and add the trigger there.).

This has worked. Just tested it and it works fine now. AWS Docs could be a lot clearer in this regard, but definite learning experience from this one.