Reputation: 185
I'm using the AWS SQS service, and I'm having a hard time defining permissions on my SQS queue. In my setup I'm using the AWS Lambda service, which is triggered when an object is pushed onto an S3 bucket.
However to keep my question briefly, this is what I want to achieve:
Object is pushed to a S3 bucket, S3 bucket triggers AWS Lambda, Lambda does some calculations and pushes an event to my SQS queue (Permission needs to be defined) Application reads from SQS Lambda and SQS queue are in different AWS account- Steps followed-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::accountid:role/rolename",
]
},
"Action": "SQS:SendMessage",
"Resource": "https://sqs.us-east-1.amazonaws.com/accountid/qsqqueuename"
}
]
}
SQS queue has KMS key enabled so gave permission in kms access policy to the same role
The role assumed by lambda has following access-
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"kms:Decrypt",
"kms:Encrypt",
"sqs:SendMessage",
"kms:DescribeKey",
"s3:ListBucket",
"ssm:GetParameter",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws:kms:us-east-1:accountid:key/kmskey5809e1338be5",
"arn:aws:sqs:us-east-1:accountid:sqaqueuename"
],
"Effect": "Allow",
"Sid": "mailboxaccess"
},
My lambda is giving the error- An error occurred (AccessDenied) when calling the SendMessage operation: Access to the resource https://queue.amazonaws.com/ is denied. Any suggestions?
Upvotes: 0
Views: 350
Reputation: 185
The problem was the arn for sqs..I had provided an HTTP address for the queue whereas need to provide an arn.
Upvotes: 0