Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Lambda IAM Role Error --> The provided execution role does not have permissions to call SendMessage on SQS

0

Hello, I am trying to deploy a Lambda function using Terraform, the IAM role is created successfully and has following inline policies attached to it

        {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": aws_cloudwatch_log_group.cloudwatch_log.arn
        },
        {
          "Sid": "VisualEditor1",
          "Effect": "Allow",
          "Action": "sqs:ListQueues",
          "Resource": "*"
        },
        {
          "Sid": "VisualEditor2",
          "Effect": "Allow",
          "Action": "sqs:*",
          "Resource": "arn:aws:sqs:us-east-1:012345678912:sqsqueue"
        }

The Lambda function has depends_on feature to ensure that the execution role is created first and then the function.

The SQS queue is already created and has the following access policy. It is a standard queue with Amazon SQS key (SSE-SQS) encryption enabled.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allow-account-access",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::012345678912:root"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:012345678912:sqsqueue"
    }
  ]
}

Applying Terraform template, shows an error message CreateFunction, https response error StatusCode: 400, RequestID: e97789ca-a746-04ae-a653-ce1b45936029, InvalidParameterValueException: The provided execution role does not have permissions to call SendMessage on SQS

Please can someone point out, what am I doing wrong?

Themen
ServerlosKalkulationSicherheit, Identität & KonformitätAnwendungsintegration
Tags
AWS LambdaAWS Identity and Access ManagementAmazon Simple Queue ServiceTerraform
Sprache
English
rePost-User
gefragt vor 5 Monaten700 Aufrufe
2 Antworten
1

Hello.

How about setting the SQS access policy a little wider as shown below?

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::012345678912:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:012345678912:sqsqueue"
    }
  ]
}
profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 5 Monaten
  • rePost-User
    vor 5 Monaten

    thanks for replying, I did try while clicking through console, just to check if I had written the Terraform template wrong... this turned out to be Terraform dependency issue.

0

This turned out to be how Terraform creates resources, I had to take the policy out of IAM role so I ended up with 3 different resources, aws_iam_role, aws_iam_policy and aws_iam_role_policy_attachment.

I declared a depends_on for aws_iam_policy in aws_iam_role.

This is in addition to depends_on for aws_iam_role in aws_lambda_function.

rePost-User
beantwortet vor 5 Monaten
  • Gary Mclean EXPERTE
    vor 5 Monaten

    You don’t need to use depends on unless in extreme circumstances. Terraform builds its own dependencies if used correctly. I don’t see why you would have issues here.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt