错误代码：AccessDeniedException。 用户：arn:aws:iam::xxx:user/xxx 无权执行：lambda:CreateEventSourceMapping on resource：*

Question

This question is related to this :

Setup:

Account A (containing the SQS Queue)

Account B (contains the lambda function that will be triggered by SQS Queue in Account A)

This is the lambda resource policy in Account B

  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-A:user/USER-ACCOUNT-A"
      },
      "Action": "lambda:*",
      "Resource": "arn:aws:lambda:eu-north-1:ACCOUNT-B:function:FUNCTION-ACCOUNT-B"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sqs.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:eu-north-1:ACCOUNT B:function:FUNCTION-ACCOUNT-B",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": ACCOUNT A
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-ACCOUNT A"
        }
      }
    }
  ]
}

and this is the SQS permission policy in Account A

  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-A:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
    },
    {
      "Sid": "__receiver_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B:root"
      },
      "Action": [
        "SQS:ChangeMessageVisibility",
        "SQS:DeleteMessage",
        "SQS:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
    },
    {
      "Sid": "Permission to LambdaRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B:role/LAMBDA-EXECUTION-ROLE-ACCOUNT-B"
      },
      "Action": [
        "SQS:ChangeMessageVisibility",
        "SQS:DeleteMessage",
        "SQS:ReceiveMessage",
        "SQS:GetQueueAttributes"
      ],
      "Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
    }
  ]
}

When user in Account A tries to add lambda trigger from SQS, the following AccessDenied Error shows up:

Error code: AccessDeniedException. Error message: User: arn:aws:iam::xxxxxxxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: *

I also tried to add the trigger from the lambda function (just for testing as this is not something I want), but I got the following error:

An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)

My Lambda Role has "AmazonSQSFullAccess" permission. So I really don't know what's going on here.

Can someone help with this please?

UPDATE

I found a bug in the SQS permission policy and fixing this solved the second error:

An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)

However as mentioned earlier I would need that the user in Account A add a lambda trigger from SQS Queue (which is creating the first error I posted above) rather than the other way round. Is that possible at all?

Answer 1

Your IAM policy is probably limited to the lambda function type resource but it also needs the event-source-mapping resource.

"Resource": [
  "arn:aws:lambda:*:<YOUR_ACCOUNT_ID>:function:*",
  "arn:aws:lambda:*:<YOUR_ACCOUNT_ID>:event-source-mapping:*"
]

Or just say screw IAM and go with '*' .

The list of resources can be found here: Resources and conditions for Lambda actions