Can't Create SQS Queue From Docker-based Lambda

Question

Hi all,

I'm write a lambda function in Python to create SQS queues when specific events occur via EventBridge. The function is then packaged as a Docker image. When I try to create the queue using the `create_queue` client method

```
import boto3

sqs = boto3.client("sqs")

// sqs = boto3.client("sqs", endpoint_url="https://sqs.us-east-1.amazonaws.com")

sqs.create_queue(QueueName="my-test-queue")
```

I receive either

```
An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.
```
or 
```
An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource https://sqs.amazonaws.com/ is denied.
```
even though the Lambda function has the correct `sqs:CreateQueue` policy attached to its role.

```
{
    "Statement": [
        {
            "Action": [
                "sqs:CreateQueue"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}
```
The lambda **IS NOT** attached to any VPC.

I tried to use ZIP based and console-created functions and the error does not occur.

**Does anybody have any idea about why I receive the error when the function is packaged as Docker image?**

Many thanks!

Accepted Answer

The IAM policy on your lambda function must not have the correct permissions. There are a few things to try:

1. Can you temporary grant `sqs:*` permissions instead of just CreateQueue and test that? 
2. Can you look at CloudTrail to see which API calls are getting denied?

Answer

Hello,

I agree with Indranil, It's probably a configuration issue in the container. My first guess would be that you have set one or more environment variables in the image:

* AWS_SECRET_ACCESS_KEY
* AWS_ACCESS_KEY_ID
* AWS_SESSION_TOKEN
* AWS_PROFILE

If you run the shell command `env`, it will print all your environment variables, you can do this at the end of your docker file or when the lambda starts.  You can also unset this with this command in your Dockerfile:

RUN unset AWS_ACCESS_KEY_ID; unset AWS_SECRET_ACCESS_KEY; unsetAWS_ACCESS_KEY_ID; unset AWS_PROFILE

Or that the image has a ~/.aws/... directory so that the program picks up the wrong credentials (not from your role). If this is the case, run this in your docker file:

RUN rm -rf ~/.aws

Find more info about how the boto3 client reads its credentials here: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html

Good luck!

Answer

If the lambda works fine when deployed using a zip file or from the console, then there is no issue with IAM permissions.

If it is not working as expected only when it is deployed as a container, then there must be some issue with the container configuration. Please make sure you have followed the steps as mentioned in this blog post - https://aws.amazon.com/blogs/aws/new-for-aws-lambda-container-image-support/

Have you tested the container locally?

Can't Create SQS Queue From Docker-based Lambda

관련 콘텐츠