Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied

Question

There are many references to this error, but none of them seemed to match my question. Below is the execution role I created for my Lambda(AWS::Serverless::Function):

{
    "permissionsBoundary": {
        "permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
        "permissionsBoundaryType": "Policy"
    },
    "roleName": "some-role-WebhookSampleFunctionRol-6Z7GFHJYHO0T",
    "policies": [
        {
            "document": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": [
                            "logs:CreateLogGroup",
                            "logs:CreateLogStream",
                            "logs:PutLogEvents"
                        ],
                        "Resource": "*"
                    }
                ]
            },
            "name": "AWSLambdaBasicExecutionRole",
            "id": "ANDDDDDC42545SKXIK",
            "type": "managed",
            "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
        }
    ],
    "trustedEntities": [
        "lambda.amazonaws.com"
    ]
}

where some-permission-boundary is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:111222333444:log-group:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow"
        }
    ]
}

The source of the Lambda is below, which sends a message to the SQS queue.

async function sendToQueue(message) {
    const params = {
        MessageBody: JSON.stringify(message),
        QueueUrl: process.env.queueUrl
    };
    return new Promise((resolve, reject) =>
        sqs.sendMessage(params, (error, data) => error ? reject(error) : resolve())
    );
}

However, when I run the Lambda function, it gives me the following error:

    "errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
        "errorType": "AccessDenied",

---

We gave sqs:* actions to any queue across accounts in some-permission-boundary

---

Why is lambda not able to send message to the queue?

Answer 1

I have a same problem, but Serverless FW. In the console throw this error:

`API: sqs:CreateQueue Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.`

I add the permissions in the custom role from Serverless agent. I use this permission from this agent (I hope that someone can help you)

{
   "Version": "2012-10-17",
   "Statement": [
    {
        "Action": [
            "apigateway:*",
            "cloudformation:CancelUpdateStack",
            "cloudformation:ContinueUpdateRollback",
            "cloudformation:CreateChangeSet",
            "cloudformation:CreateStack",
            "cloudformation:CreateUploadBucket",
            "cloudformation:DeleteStack",
            "cloudformation:Describe*",
            "cloudformation:EstimateTemplateCost",
            "cloudformation:ExecuteChangeSet",
            "cloudformation:Get*",
            "cloudformation:List*",
            "cloudformation:UpdateStack",
            "cloudformation:UpdateTerminationProtection",
            "cloudformation:ValidateTemplate",
            "dynamodb:CreateTable",
            "dynamodb:DeleteTable",
            "dynamodb:DescribeTable",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:UpdateTimeToLive",
            "ec2:AttachInternetGateway",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CreateInternetGateway",
            "ec2:CreateNetworkAcl",
            "ec2:CreateNetworkAclEntry",
            "ec2:CreateRouteTable",
            "ec2:CreateSecurityGroup",
            "ec2:CreateSubnet",
            "ec2:CreateTags",
            "ec2:CreateVpc",
            "ec2:DeleteInternetGateway",
            "ec2:DeleteNetworkAcl",
            "ec2:DeleteNetworkAclEntry",
            "ec2:DeleteRouteTable",
            "ec2:DeleteSecurityGroup",
            "ec2:DeleteSubnet",
            "ec2:DeleteVpc",
            "ec2:Describe*",
            "ec2:DetachInternetGateway",
            "ec2:ModifyVpcAttribute",
            "events:DeleteRule",
            "events:DescribeRule",
            "events:ListRuleNamesByTarget",
            "events:ListRules",
            "events:ListTargetsByRule",
            "events:PutRule",
            "events:PutTargets",
            "events:RemoveTargets",
            "iam:AttachRolePolicy",
            "iam:CreateRole",
            "iam:DeleteRole",
            "iam:DeleteRolePolicy",
            "iam:DetachRolePolicy",
            "iam:GetRole",
            "iam:PassRole",
            "iam:PutRolePolicy",
            "iot:CreateTopicRule",
            "iot:DeleteTopicRule",
            "iot:DisableTopicRule",
            "iot:EnableTopicRule",
            "iot:ReplaceTopicRule",
            "kinesis:CreateStream",
            "kinesis:DeleteStream",
            "kinesis:DescribeStream",
            "lambda:*",
            "logs:CreateLogGroup",
            "logs:DeleteLogGroup",
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams",
            "logs:FilterLogEvents",
            "logs:GetLogEvents",
            "logs:PutLogEvents",
            "logs:PutSubscriptionFilter",
            "logs:CreateLogStream",
            "s3:CreateBucket",
            "s3:DeleteBucket",
            "s3:DeleteBucketPolicy",
            "s3:DeleteObject",
            "s3:DeleteObjectVersion",
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:PutBucketNotification",
            "s3:PutBucketPolicy",
            "s3:PutBucketTagging",
            "s3:PutBucketWebsite",
            "s3:PutEncryptionConfiguration",
            "s3:PutObject",
            "sns:CreateTopic",
            "sns:DeleteTopic",
            "sns:GetSubscriptionAttributes",
            "sns:GetTopicAttributes",
            "sns:ListSubscriptions",
            "sns:ListSubscriptionsByTopic",
            "sns:ListTopics",
            "sns:SetSubscriptionAttributes",
            "sns:SetTopicAttributes",
            "sns:Subscribe",
            "sns:Unsubscribe",
            "sqs:CreateQueue",
            "sqs:ReceiveMessage",
            "sqs:DeleteMessage",
            "sqs:GetQueueAttributes",
            "states:CreateStateMachine",
            "states:DeleteStateMachine"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }
]}

This permissions (without sqs*), are recommended from Serverless FW docs

Answer 2

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.

An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

source: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

You do include sqs:* in your permission boundary, but you did not include any sqs related action in your lambda execution role's policy.

You should attach a policy with sqs permissions to your lambda execution role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-east-1:*:*"
            ],
            "Effect": "Allow",
        }
    ]
}