CODEWITHSUNDEEP
amazon-web-servicesaws-lambdaamazon-iamamazon-sqsamazon-vpc
Amit kumar
Amit kumar

Reputation: 2694

Unable to add trigger to AWS Lambda

I am trying to add SQS as a trigger to my Lambda function running in AWS-VPC but it throws error as :

enter image description here

An error occurred when creating the trigger: The provided execution role does not have permissions to call ReceiveMessage on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: d34b7525-5c69-4434-a015-112e8e74f447; Proxy: null)

Tried via adding AWSLambdaVPCAccessExecutionRole to the policy for the role as well via IAM. But no luck!

I am unable to figure where I am making a mistake? Please help me out, if anyone had similar experience in past or knows how to resolve it. Thanks you in advance!

Upvotes: 1

Views: 7860

Answers (3)

Sangam Belose
Sangam Belose

Reputation: 4506

Please attach managed policy AWSLambdaSQSQueueExecutionRole in your lambda execution role. If your lambda function is working with any other aws services, you can try creating custom role and add specific permissions.

In aws if any service want to access any another service you need those specific permission in role.

for more information on lambda permission please check Managed lambda permissions

Upvotes: 14

AWS PS
AWS PS

Reputation: 4710

Attach a policy for a lambda role you might have to change account_number to your account no if you need to invoke another lambda form this lambda

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "",
        "Effect": "Allow",
        "Action": "lambda:InvokeFunction",
        "Resource": "arn:aws:lambda:**eu-west-1**:**account_number:function**:*"
    },
    {
        "Sid": "",
        "Effect": "Allow",
        "Action": [
            "logs:PutLogEvents",
            "logs:CreateLogStream",
            "logs:CreateLogGroup"
        ],
        "Resource": "*"
    },
    {
        "Sid": "",
        "Effect": "Allow",
        "Action": [
            "sqs:*"
        ],
        "Resource": "*"
    }
]
}

Upvotes: 0

charlie10
charlie10

Reputation: 71

You need to add the following actions to the IAM Role attached to your lambda:

  • sqs:ReceiveMessage
  • sqs:DeleteMessage
  • sqs:GetQueueAttributes

Otherwise your lambda will not be able to receive any message from the queue. DeleteMessage action allows to remove a message from queue once its successfully processed. As a resource set the ARN of your SQS queue. Policy should look like this:

{
    "Action": [
        "sqs:DeleteMessage",
        "sqs:ReceiveMessage",
        "sqs:GetQueueAttributes"
    ],
    "Resource": "arn:aws:sqs:region:accountid:queuename",
    "Effect": "Allow"
}

If you're looking for a managed policy, have a look at AWSLambdaSQSQueueExecutionRole.

Upvotes: 7

Related Questions