Can't Create SQS Queue From Docker-based Lambda


Hi all,

I'm write a lambda function in Python to create SQS queues when specific events occur via EventBridge. The function is then packaged as a Docker image. When I try to create the queue using the create_queue client method

import boto3

sqs = boto3.client("sqs")

// sqs = boto3.client("sqs", endpoint_url="")


I receive either

An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource is denied.


An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource is denied.

even though the Lambda function has the correct sqs:CreateQueue policy attached to its role.

    "Statement": [
            "Action": [
            "Resource": [
            "Effect": "Allow"

The lambda IS NOT attached to any VPC.

I tried to use ZIP based and console-created functions and the error does not occur.

Does anybody have any idea about why I receive the error when the function is packaged as Docker image?

Many thanks!

feita há 2 anos685 visualizações
3 Respostas
Resposta aceita

The IAM policy on your lambda function must not have the correct permissions. There are a few things to try:

  1. Can you temporary grant sqs:* permissions instead of just CreateQueue and test that?
  2. Can you look at CloudTrail to see which API calls are getting denied?
respondido há 2 anos
  • Thanks everybody for your replies!

    I figured out that the problem was about how the CreateQueue API returns the error message. Although the error was saying that I was not authorised to execute the CreateQueue operation, the lack of authorisation was not about it but it was about the TagQueue one.

    Part of the code was trying to call

    sqs.create_queue(QueueName="my-test-queue", tags={"Key1": "Value1"})

    which internally, it seems, calls the TagQueue operation. Of course, the TagQueue operation requires the sqs:TagQueue policy, which was not available within the role. The CreateQueue API response was catching the internal tag queue error, replying as something happened at that level.

    I hope this can help others who are running into these kind of issues.


If the lambda works fine when deployed using a zip file or from the console, then there is no issue with IAM permissions.

If it is not working as expected only when it is deployed as a container, then there must be some issue with the container configuration. Please make sure you have followed the steps as mentioned in this blog post -

Have you tested the container locally?

profile pictureAWS
respondido há 2 anos


I agree with Indranil, It's probably a configuration issue in the container. My first guess would be that you have set one or more environment variables in the image:


If you run the shell command env, it will print all your environment variables, you can do this at the end of your docker file or when the lambda starts. You can also unset this with this command in your Dockerfile:


Or that the image has a ~/.aws/... directory so that the program picks up the wrong credentials (not from your role). If this is the case, run this in your docker file:

 RUN rm -rf ~/.aws

Find more info about how the boto3 client reads its credentials here:

Good luck!

profile picture
respondido há 2 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas