Access to the resource https://queue.amazonaws.com/ is denied error in AWS Lambda function

Question

I am trying to set cross account data transfer from AWS Lambda in AWS account A to SQS in AWS account B using boto3. Below are the steps which I have followed.

1. Created an IAM role in account A which has "SendMessage" access to SQS queue in account B. (Given an ARN of SQS queue of account B)
2. Added an account ID of AWS account B in the trust relationship of an IAM role in account A.
3. Attached this IAM role to Lambda function and written a code to send the message to SQS queue using SQS queue URL.
4. Created an SQS queue in account B.
5. In the SQS queue access policy I have written a policy which will allow lambda role of account A to send message to its SQS queue.

================================================================================

  After that when I am trying to test my lambda function, it is giving me below error.
    [ERROR] ClientError: An error occurred (AccessDenied) when calling the SendMessage operation: Access to the resource https://queue.amazonaws.com/ is denied.

=====================================================================================

Can anybody please help to understand what's wrong here?.

Answer 1

This error can occur if you are attempting to access SQS via the boto3 Python library (e.g. OP's lambda) from inside a VPC with private DNS enabled.

Per AWS documentation:

Private DNS doesn't support legacy endpoints such as queue.amazonaws.com or us-east-2.queue.amazonaws.com.

(emphasis mine)

To solve this error:

1. Create a VPC endpoint for com.amazonaws.<region>.sqs in your VPC
2. Pass the appropriate service endpoint URL to the boto3.client() constructor:

   import boto3
   
   client = boto3.client('sqs', endpoint_url=f'https://sqs.{region}.amazonaws.com')
   

IAM permissions are left as an exercise to the reader.