A third party vendor provided me with an AWS SQS Queue name (arn:TheQ) and with a Role (arn:TheRole) that they said I need to assume within my AWS account in order to access the queue.
I know how to define the lambda function and how to set the event trigger to be the SQS queue. But I can’t figure out where or how I use the Role Arn that they provided. I’ve searched far and wide and tried every variation I can find but always hit a dead end.
functions:
getMsg:
handler: handler.getMsg
events:
- sqs: arn:TheQ
That alone obviously doesn’t work since the function isn’t assuming TheRole they provided as its execution role. But it won’t let me just add a role statement since that can only reference a role within the same account as the function.
In the provider section, I’ve tried adding various iam.role.statements and I’ve added various permissions to the user associated with the Serverless Framework permissions (although I assume it’s not related to that).
iam:
role:
statements:
- Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: "arn:TheRole"
- Effect: "Allow"
Action:
- "sqs:*"
Resource: "arn:TheQ"
I feel like I’m only missing one small statement somewhere that allows the Lambda function to assume the role. But I can’t find it. I found articles that showed how I can add code to the lambda function that assumes the role, but for a lambda trigger of an SQS event, it seems like the EventMapping requires that the Role already be in place as the execution role.
ps, arn:TheQ and arn:TheRole are just abbreviations for the full arn of each.
Thanks so much in advance for any insights!