Borislav Hadzhiev
Reading time·3 min
Photo from Unsplash
In order to grant a Lambda function access to an SQS queue, we have to attach
an IAM policy to the function's execution role. The policy should grant
permissions for all the Actions
the function needs to perform on the queue.
For example, the following policy grants permissions for the most commonly used SQS actions on a specific SQS queue.
YOUR_*
placeholders in the Resource
element with the real values.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage", "sqs:DeleteMessage", "sqs:ChangeMessageVisibility", "sqs:ReceiveMessage", "sqs:TagQueue", "sqs:UntagQueue", "sqs:PurgeQueue" ], "Resource": "arn:aws:sqs:YOUR_REGION:YOUR_ACCOUNT_NUMBER:YOUR_QUEUE_NAME" } ] }
The Resource
element is simply the SQS queue's ARN. It should look something
like: arn:aws:sqs:us-east-1:123456789:my-queue
once the real values are in
place.
The actions your lambda function needs to perform on the queue are use case dependent.
"sqs:*"
for the Action
element in the policy to grant full SQS access to the lambda function. However, it's best practice to grant an entity the least permissions that get the job done.You can view a full list of the sqs Actions
in the
SQS actions table.
There is a Description
column that explains what each action does.
To attach a policy to the lambda function's execution role, you have to:
Configuration
tab and then click Permissions
Add permissions
and then click Create inline policy
JSON
editor paste the following policy.YOUR_*
placeholders and adjust the Actions
your lambda function needs to execute.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage", "sqs:DeleteMessage", "sqs:ChangeMessageVisibility", "sqs:ReceiveMessage", "sqs:TagQueue", "sqs:UntagQueue", "sqs:PurgeQueue" ], "Resource": "arn:aws:sqs:YOUR_REGION:YOUR_ACCOUNT_NUMBER:YOUR_QUEUE_NAME" } ] }
Review Policy
and give your policy a name, then click Create policy
At this point the lambda function's role has been extended with a policy that grants access to some SQS actions on a specific queue.
Invoke your lambda function and verify whether it has access to the SQS queue.
If your function is still unable to access the SQS queue, try to increase the
function's timeout
by a second in the AWS console, or simply add an extra
print
statement in the code and click the Deploy
button.
If your lambda function still doesn't have access to the queue, expand the IAM policy you added to the function's role and edit it to look like the policy below.
YOUR_*
placeholders with the real values.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sqs:*" ], "Resource": "arn:aws:sqs:YOUR_REGION:YOUR_ACCOUNT_NUMBER:YOUR_QUEUE_NAME" } ] }
The IAM policy grants full access to an SQS queue. Your lambda function will be able to execute all SQS actions on the queue.
*
symbol is useful when debugging.After you've updated the policy, try to invoke your lambda function again. It should have permissions to execute any action on the SQS queue.
After you verify which actions your lambda needs to run, you can make the IAM policy less permissive.
Deny
effect will always override any Allow
statements.