Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied

amazon-web-services aws-lambda amazon-iam amazon-sqs
11,463

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.

An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

source: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

You do include sqs:* in your permission boundary, but you did not include any sqs related action in your lambda execution role's policy.

You should attach a policy with sqs permissions to your lambda execution role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}
Share:
11,463
overexchange
Author by

overexchange

Current technologies: Javascript & Python

Updated on June 09, 2022

Comments

  • overexchange
    overexchange almost 2 years

    There are many references to this error, but,

    Below is the execution role created for lambda(AWS::Serverless::Function):

    {
  "permissionsBoundary": {
    "permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
    "permissionsBoundaryType": "Policy"
  },
  "roleName": “some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
  "policies": [
    {
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "logs:CreateLogGroup",
              "logs:CreateLogStream",
              "logs:PutLogEvents"
            ],
            "Resource": "*"
          }
        ]
      },
      "name": "AWSLambdaBasicExecutionRole",
      "id": "ANDDDDDC42545SKXIK",
      "type": "managed",
      "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
    }
  ],
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

    where some-permission-boundary is

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:111222333444:log-group:*"
            ],
            "Effect": "Allow",
        },
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}

    lambda performs below operation:

    async function sendToQueue(message) {
  const params = {
    MessageBody: JSON.stringify(message),
    QueueUrl: process.env.queueUrl
  };
  return new Promise((resolve, reject) =>
    sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
  );
}

    that gives error:

    "errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
    "errorType": "AccessDenied",

    We gave sqs:* actions to any queue across accounts in some-permission-boundary

    Why lambda is not able to send message to queue?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Invoke an AWS lambda across regions
Attach policy to a IAM Role
AWS SQS permissions for AWS Lambda
How to troubleshoot this AWS lambda error - An error has occurred: Received error response from Lambda: Unhandled?
Giving access to AWS Lambda service with limited policy
CloudFormation is not authorized to perform: iam:PassRole on resource
Lambda service throws error execution role does not have permissions to call receiveMessage on SQS
Access Denied using boto3 through aws Lambda
can AWS Lambda connect to RDS mySQL database and update the database?
The policy failed legacy parsing