By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access to the resource https://sqs.eu-west-2.amazonaws.com/ is denied.

1

API Gateway -> SQS queue integration

Hi All

Hope you can help.

I am creating REST API in new AWS account with terraform. Using IAM role with AmazonAPIGatewayAdministrator policy to create api gatway method & integration request to SQS queue. Also added permission to role for sending messages to queue aswell.

Once terraform deployed, Getting AccessDenied

{
    "Error": {
        "Code": "AccessDenied",
        "Message": "Access to the resource https://sqs.eu-west-2.amazonaws.com/ is denied.",
        "Type": "Sender"
    },
    "RequestId": "824c8fe5-2da2-58bc-ad89-d4b1a461bf75"
}

Thanks

SG

  • rePost-User-4402012
    2 years ago

    Using following IAM Role Policy { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:GetLogEvents", "logs:FilterLogEvents" ], "Effect": "Allow", "Resource": "" }, { "Action": "sqs:", "Effect": "Allow", "Resource": "arn:aws:sqs:eu-west-2:account_id:queue_name" }, { "Action": [ "lambda:InvokeFunction", "lambda:InvokeAsync" ], "Effect": "Allow", "Resource": "arn:aws:lambda::account_id:function:" } ], "Version": "2012-10-17" }

Topics
Security, Identity, & ComplianceServerlessFront-End Web & MobileNetworking & Content DeliveryApplication Integration
Tags
AWS Identity and Access ManagementAmazon API GatewayAmazon Simple Queue ServiceIAM Policies
Language
English
rePost-User-4402012
asked 2 years ago1405 views
2 Answers
1

Based on the given context, I am assuming that you have correctly added permissions to an IAM role assumed by API Gateway to access an SQS queue. Have you taken a look at SQS access policy, service control policy in AWS organizations, KMS permissions, and VPC endpoint (VPCe) policy (if VPCe is in use)? This article How do I troubleshoot AccessDenied errors on Amazon SQS API calls? covers basic troubleshooting steps.

AWS
Taka_M
answered 2 years ago
  • rePost-User-4402012
    2 years ago

    Not using VPCs or KMS { "Version": "2012-10-17", "Id": "sqspolicy", "Statement": [ { "Sid": "First", "Effect": "Allow", "Principal": "*", "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:eu-west-2:account_id:queue_name" } ] }

0

Hi

In your role policy I see sqs: instead of sqs:SendMessage

Make sure { "Action": "SendMessage", ..... }

Omid Eidivandi
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content