The provided execution role does not have permissions to call ReceiveMessage on SQS

Serverless Framework
, ,
1

I changed my credentials AWS, and resolved to upload the project to deploy. But he accused this error.
An error occurred: ReceiveEventSourceMappingSQSChatdev - The provided execution role does not have permissions to call ReceiveMessage on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 202dd49f-b065-11e8-b953-13a2c43d802b).

serverless.yml

service: message-chat
frameworkVersion: "=1.30.1"
plugins:
  - serverless-dotenv-plugin

provider:
  name: aws
  runtime: nodejs8.10
  stage: ${env:STAGE}
  region: us-east-1
  memorySize: 1024
  timeout: 300
  iamRoleStatements:
  - Effect: "Allow"
    Action:
      - sqs:SendMessage
      - sqs:ReceiveMessage
      - sqs:DeleteMessage
      - sqs:GetQueueAttributes
    Resource: "${env:ARN_QUEUE_CHAT}"
  - Effect: "Allow"
    Action:
      - sqs:ListQueues
    Resource: "${env:ARN_QUEUES}"

functions:
  sender:
    handler: handler.sender
    events:
      - http:
          path: v1/chat/sender
          method: post
          cors: true
          authorizer: authorizer
  authorizer:
    handler: handler.authorizer

  receive:
    handler: handler.receive
    reservedConcurrency: 20
    events:
      - sqs:
          arn: ${env:ARN_QUEUE_CHAT}
          batchSize: 1

resources:
  Resources:
   GatewayResponseDefault4XX:
     Type: 'AWS::ApiGateway::GatewayResponse'
     Properties:
       ResponseParameters:
         gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
         gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
       ResponseType: DEFAULT_4XX
       RestApiId:
         Ref: 'ApiGatewayRestApi'

.env

# SQS INFOS
ARN_QUEUE_CHAT=arn:aws:sqs:us-east-1:...:chat-dev
ARN_QUEUES=arn:aws:sqs:us-east-1:...:*
URL_QUEUE=https://sqs.us-east-1.amazonaws.com/.../chat-dev

# TALKJS INFOS
TALKJS_URL=...
TALKJS_KEY=...

# PAPERTRAIL INFOS
PAPERTRAIL_HOST=...
PAPERTRAIL_PORT=...

# SERVERLESS INFOS
STAGE=dev
# STAGE = 'dev' or 'prod'

# JWT INFOS
JWT_SECRET=local

For obvious reasons, I hid some information.

Captura%20de%20tela%20de%202018-09-04%2015-30-15
Captura%20de%20tela%20de%202018-09-04%2015-30-151907×709 174 KB

2

The configurations look good. I just tried your exact configuration without any issues.

Try running sls remove and then deploying again.

3

I have the same error here.
In my case, I have a SQS to trigger Lambda function.
When I do a full-deployment (creating SQS and Lambda at the same time), I get this error.

4

Yes, I am reproducing this issue today in 2022 using these plugins:

"serverless": "^3.22.0",
"serverless-iam-roles-per-function": "^3.2.0",
"serverless-plugin-tracing": "^2.0.0"

How did you get around it in the end?
I tried deploying without the subscription at first and then with it on a separate deploy but it didn’t help.

Update:
It turns out that I just had to provide the right permissions at the function level with the right SQS name using the serverless-iam-roles-per-function plugin. It should also work if you set it at the provider level without that plugin.

Previously I was relying on a separate package plugin that would create the queue and permissions for me but that is seemingly something change that that behaviour is lost in that plugin and I have to do it explicitly.