By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda IAM Role Error --> The provided execution role does not have permissions to call SendMessage on SQS

0

Hello, I am trying to deploy a Lambda function using Terraform, the IAM role is created successfully and has following inline policies attached to it

        {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": aws_cloudwatch_log_group.cloudwatch_log.arn
        },
        {
          "Sid": "VisualEditor1",
          "Effect": "Allow",
          "Action": "sqs:ListQueues",
          "Resource": "*"
        },
        {
          "Sid": "VisualEditor2",
          "Effect": "Allow",
          "Action": "sqs:*",
          "Resource": "arn:aws:sqs:us-east-1:012345678912:sqsqueue"
        }

The Lambda function has depends_on feature to ensure that the execution role is created first and then the function.

The SQS queue is already created and has the following access policy. It is a standard queue with Amazon SQS key (SSE-SQS) encryption enabled.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allow-account-access",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::012345678912:root"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:012345678912:sqsqueue"
    }
  ]
}

Applying Terraform template, shows an error message CreateFunction, https response error StatusCode: 400, RequestID: e97789ca-a746-04ae-a653-ce1b45936029, InvalidParameterValueException: The provided execution role does not have permissions to call SendMessage on SQS

Please can someone point out, what am I doing wrong?

Topics
ServerlessComputeSecurity, Identity, & ComplianceApplication Integration
Tags
AWS LambdaAWS Identity and Access ManagementAmazon Simple Queue ServiceTerraform
Language
English
rePost-User
asked 4 months ago627 views
2 Answers
1

Hello.

How about setting the SQS access policy a little wider as shown below?

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::012345678912:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:012345678912:sqsqueue"
    }
  ]
}
profile picture
EXPERT
Riku_Kobayashi
answered 4 months ago
  • rePost-User
    4 months ago

    thanks for replying, I did try while clicking through console, just to check if I had written the Terraform template wrong... this turned out to be Terraform dependency issue.

0

This turned out to be how Terraform creates resources, I had to take the policy out of IAM role so I ended up with 3 different resources, aws_iam_role, aws_iam_policy and aws_iam_role_policy_attachment.

I declared a depends_on for aws_iam_policy in aws_iam_role.

This is in addition to depends_on for aws_iam_role in aws_lambda_function.

rePost-User
answered 4 months ago
  • Gary Mclean EXPERT
    4 months ago

    You don’t need to use depends on unless in extreme circumstances. Terraform builds its own dependencies if used correctly. I don’t see why you would have issues here.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content