Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied
A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.
An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
source: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
You do include sqs:* in your permission boundary, but you did not include any sqs related action in your lambda execution role's policy.
You should attach a policy with sqs permissions to your lambda execution role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:*:*"
],
"Effect": "Allow",
}
]
}
Comments
-
overexchange almost 2 years
There are many references to this error, but,
Below is the execution role created for lambda(
AWS::Serverless::Function
):{ "permissionsBoundary": { "permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary", "permissionsBoundaryType": "Policy" }, "roleName": “some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T", "policies": [ { "document": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }, "name": "AWSLambdaBasicExecutionRole", "id": "ANDDDDDC42545SKXIK", "type": "managed", "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } ], "trustedEntities": [ "lambda.amazonaws.com" ] }
where
some-permission-boundary
is{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:111222333444:log-group:*" ], "Effect": "Allow", }, { "Action": [ "sqs:*" ], "Resource": [ "arn:aws:sqs:us-east-1:*:*" ], "Effect": "Allow", } ] }
lambda performs below operation:
async function sendToQueue(message) { const params = { MessageBody: JSON.stringify(message), QueueUrl: process.env.queueUrl }; return new Promise((resolve, reject) => sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve()) ); }
that gives error:
"errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.", "errorType": "AccessDenied",
We gave
sqs:*
actions to any queue across accounts insome-permission-boundary
Why lambda is not able to send message to queue?