Can't Create SQS Queue From Docker-based Lambda

0

Hi all,

I'm write a lambda function in Python to create SQS queues when specific events occur via EventBridge. The function is then packaged as a Docker image. When I try to create the queue using the create_queue client method

import boto3

sqs = boto3.client("sqs")

// sqs = boto3.client("sqs", endpoint_url="https://sqs.us-east-1.amazonaws.com")

sqs.create_queue(QueueName="my-test-queue")

I receive either

An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.

or

An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource https://sqs.amazonaws.com/ is denied.

even though the Lambda function has the correct sqs:CreateQueue policy attached to its role.

{
    "Statement": [
        {
            "Action": [
                "sqs:CreateQueue"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

The lambda IS NOT attached to any VPC.

I tried to use ZIP based and console-created functions and the error does not occur.

Does anybody have any idea about why I receive the error when the function is packaged as Docker image?

Many thanks!

asked 3 months ago93 views
3 Answers
0
Accepted Answer

The IAM policy on your lambda function must not have the correct permissions. There are a few things to try:

  1. Can you temporary grant sqs:* permissions instead of just CreateQueue and test that?
  2. Can you look at CloudTrail to see which API calls are getting denied?
answered 3 months ago
  • Thanks everybody for your replies!

    I figured out that the problem was about how the CreateQueue API returns the error message. Although the error was saying that I was not authorised to execute the CreateQueue operation, the lack of authorisation was not about it but it was about the TagQueue one.

    Part of the code was trying to call

    sqs.create_queue(QueueName="my-test-queue", tags={"Key1": "Value1"})
    

    which internally, it seems, calls the TagQueue operation. Of course, the TagQueue operation requires the sqs:TagQueue policy, which was not available within the role. The CreateQueue API response was catching the internal tag queue error, replying as something happened at that level.

    I hope this can help others who are running into these kind of issues.

0

If the lambda works fine when deployed using a zip file or from the console, then there is no issue with IAM permissions.

If it is not working as expected only when it is deployed as a container, then there must be some issue with the container configuration. Please make sure you have followed the steps as mentioned in this blog post - https://aws.amazon.com/blogs/aws/new-for-aws-lambda-container-image-support/

Have you tested the container locally?

profile picture
EXPERT
answered 3 months ago
0

Hello,

I agree with Indranil, It's probably a configuration issue in the container. My first guess would be that you have set one or more environment variables in the image:

  • AWS_SECRET_ACCESS_KEY
  • AWS_ACCESS_KEY_ID
  • AWS_SESSION_TOKEN
  • AWS_PROFILE

If you run the shell command env, it will print all your environment variables, you can do this at the end of your docker file or when the lambda starts. You can also unset this with this command in your Dockerfile:

 RUN unset AWS_ACCESS_KEY_ID; unset AWS_SECRET_ACCESS_KEY; unsetAWS_ACCESS_KEY_ID; unset AWS_PROFILE

Or that the image has a ~/.aws/... directory so that the program picks up the wrong credentials (not from your role). If this is the case, run this in your docker file:

 RUN rm -rf ~/.aws

Find more info about how the boto3 client reads its credentials here: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html

Good luck!

profile picture
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions