Can't Create SQS Queue From Docker-based Lambda


Hi all,

I'm write a lambda function in Python to create SQS queues when specific events occur via EventBridge. The function is then packaged as a Docker image. When I try to create the queue using the create_queue client method

import boto3

sqs = boto3.client("sqs")

// sqs = boto3.client("sqs", endpoint_url="")


I receive either

An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource is denied.


An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource is denied.

even though the Lambda function has the correct sqs:CreateQueue policy attached to its role.

    "Statement": [
            "Action": [
            "Resource": [
            "Effect": "Allow"

The lambda IS NOT attached to any VPC.

I tried to use ZIP based and console-created functions and the error does not occur.

Does anybody have any idea about why I receive the error when the function is packaged as Docker image?

Many thanks!

posta 2 anni fa688 visualizzazioni
3 Risposte
Risposta accettata

The IAM policy on your lambda function must not have the correct permissions. There are a few things to try:

  1. Can you temporary grant sqs:* permissions instead of just CreateQueue and test that?
  2. Can you look at CloudTrail to see which API calls are getting denied?
con risposta 2 anni fa
  • Thanks everybody for your replies!

    I figured out that the problem was about how the CreateQueue API returns the error message. Although the error was saying that I was not authorised to execute the CreateQueue operation, the lack of authorisation was not about it but it was about the TagQueue one.

    Part of the code was trying to call

    sqs.create_queue(QueueName="my-test-queue", tags={"Key1": "Value1"})

    which internally, it seems, calls the TagQueue operation. Of course, the TagQueue operation requires the sqs:TagQueue policy, which was not available within the role. The CreateQueue API response was catching the internal tag queue error, replying as something happened at that level.

    I hope this can help others who are running into these kind of issues.


If the lambda works fine when deployed using a zip file or from the console, then there is no issue with IAM permissions.

If it is not working as expected only when it is deployed as a container, then there must be some issue with the container configuration. Please make sure you have followed the steps as mentioned in this blog post -

Have you tested the container locally?

profile pictureAWS
con risposta 2 anni fa


I agree with Indranil, It's probably a configuration issue in the container. My first guess would be that you have set one or more environment variables in the image:


If you run the shell command env, it will print all your environment variables, you can do this at the end of your docker file or when the lambda starts. You can also unset this with this command in your Dockerfile:


Or that the image has a ~/.aws/... directory so that the program picks up the wrong credentials (not from your role). If this is the case, run this in your docker file:

 RUN rm -rf ~/.aws

Find more info about how the boto3 client reads its credentials here:

Good luck!

profile picture
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande