Hello, I haven’t been able to find the answer to this question but please let me know if I have missed it.
My scenario is I have my lambda in account 0001 and I need to read messages from an SQS queue in AWS account 0002.
The role “interestingrole” is created in account 0001 via Terraform and I would prefer to keep it that way. The SQS queue in account 0002 has a trust relationship set up for interestingrole in account 0001.
The policy looks like this
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “AllowMyRequest”,
“Effect”: “Allow”,
“Action”: [
“sqs:ReceiveMessage”,
“sqs:GetQueueUrl”,
“sqs:GetQueueAttributes”,
“sqs:DeleteMessageBatch”,
“sqs:DeleteMessage”,
“sqs:ChangeMessageVisibilityBatch”,
“sqs:ChangeMessageVisibility”
],
“Resource”: “arn:aws:sqs:us-east-1:0002:interesting-queue”
},
In account 0002 a trust relationship has been set up with the role created in account 0001 (same as where the lambda runs). I don’t control account 0002.
If I in my serverless.yml creates a queue with same name and set the resource as 0001 instead of 0002 it will deploy just fine and also works to read messages from that queue but if I use account 0002 I get the deployment error " An error occurred: EventHandlerEventSourceMappingSQSCinterestingqueue - Invalid request provided: The provided execution role does not have permissions to call ReceiveMessage on SQS (Service: Lambda, Status Code: 400"
Do I need to set up AssumeRole in my serverless.yml or refer to the role I have created “interestingrole” in some other way? I couldn’t find an example for this particular case where my role is in the account I control and execute the lambda (0001) but the resource I want to access is in a different account.
I don’t have iAmRoleStatement configured for the queue currently.
serverless.yml
functions:
eventHandler:
handler: src/lambda.handler
events:
- sqs: “arn:aws:sqs:us-east-1:0002:interesting-queue”
Thank you!