Reputation: 1211
Lambda Dead Letter Queue with SNS permissions
I am trying to use the Dead Letter Queue of Lambda. I have configured it to to send messages to an SNS Queue. I put in the an incorrect handler to make the Lambda invocation error out. The error messages never arrives in the SNS Queue. I believe this is a permissions issue. Below is the my Access policy set for the SNS queue
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:eu-west-1:1234567:lambda-dlq",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "1234567"
}
}
}
]
}
The lambda function has a Role attached to that has the sns:Publish, action to allow and resource to *
Am i missing anything? any other reason the message might not arrive DLQ ?
Upvotes: 2
Views: 1316
Answers (1)
Reputation: 238747
I tried to verify your scenario. I observed that using Test in console does not produces messages in DLQ.
What worked was using CLI (haven't tested with CW Events):
aws lambda invoke --function-name ffff --invocation-type Event --profile my-profile /dev/stdout
Also the other settings were :
SNS policy (same as yours; default)
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "arn:aws:sns:us-east-1:xxxxxx:my-dlq-topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "xxxxxxx"
}
}
}
]
}
lambda execution role
Only added arn:aws:iam::aws:policy/AmazonSNSFullAccess for simplicity to it.
async lambda settings
Upvotes: 2
Related Questions
- Adding Dead Letter Queue config to AWS Lambda
- Using CDK to grant permissions to Dead Letter Queue on SNS Topic Subscription
- SQS dead letter queue not triggered on AWS Lambda invocation errors
- SNS redrive to Dead letter queue not working
- AWS Lambda - different dead letter queue based on Lambda alias
- SNS trigger issue for Lambda
- AWS - What is the difference between setting a Dead Letter Queue on an SNS Subscription or on a Lambda function?
- Using a Dead Letter Queue for AWS Lambda Errors
- Does AWS SNS have Dead Letter Queue?
- AWS Lambda Publishing to SNS