CODEWITHSUNDEEP
amazon-web-servicesamazon-iamamazon-sqsserverlessidentity-management
jai
jai

Reputation: 1

Send message from lambda account A to an SQS of account B

I need to send message from lambda account A to an SQS of another account B.

In account B, I have created the sqs like this:

Resources:
    SampleSqs:
      Type: "AWS::SQS::Queue"
      Properties:
        QueueName: sample-sqs-service-queue.fifo
        FifoQueue: true
        VisibilityTimeout: 400
        ContentBasedDeduplication: true

and created the access role policy as:

    SqsRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: sample-sqs-Account-Role
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                AWS:
                  - arn:aws:iam::<Account-A>:root
              Action: sts:AssumeRole
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/AmazonSQSFullAccess

I also tried adding the sqs queue as resource under statement section, but is failing at the time of deployment with the below message:

SqsRole - Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;

In account A, I am trying to acces the account B sqs SampleSqs, by importing the queue url,but i am getting access denied, code for account A:

  iamRoleStatements:
    - Effect: Allow
      Action:
        - sts:AssumeRole
      Resource:
         - arn:aws:iam::$<AccountB>:role/sample-sqs-Account-Role

trying to access that sqs through its url in my code but getting access denied.

I am quite new to aws and serverless framework, Could someone please help me with what serverless code setup I require in both interface's to give Account B sqs queue's access to account A.

I tried adding the sqs queue as resource under statement section in sqsRole, but is failing at the time of deployment with the below message:

SqsRole - Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;

Upvotes: 0

Views: 483

Answers (1)

Adil Hindistan
Adil Hindistan

Reputation: 6615

Have you checked Amazon documentation on error: https://aws.amazon.com/premiumsupport/knowledge-center/iam-principal-policy/

More importantly, I do not know your exact scenario here but I would think instead of creating a whole role in account be to be assumed to access sqs, it would be easier and probably more appropriate to simply grant necessary permissions by changing the policy on sqs (resource policy).

There are very easy to understand examples directly addressing this use-case here: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html

Upvotes: 0

Related Questions