stackoom
  简体   繁体   中英

Send message from lambda account A to an SQS of account B

 原文  2023-01-14 17:16:25       amazon-web-services/ amazon-iam/ amazon-sqs/ serverless/ identity-management

Question

I need to send message from lambda account A to an SQS of another account B.

In account B, I have created the sqs like this:

Resources:
    SampleSqs:
      Type: "AWS::SQS::Queue"
      Properties:
        QueueName: sample-sqs-service-queue.fifo
        FifoQueue: true
        VisibilityTimeout: 400
        ContentBasedDeduplication: true

and created the access role policy as:

    SqsRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: sample-sqs-Account-Role
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                AWS:
                  - arn:aws:iam::<Account-A>:root
              Action: sts:AssumeRole
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/AmazonSQSFullAccess

I also tried adding the sqs queue as resource under statement section, but is failing at the time of deployment with the below message:

SqsRole - Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;

In account A, I am trying to acces the account B sqs SampleSqs, by importing the queue url,but i am getting access denied, code for account A:

  iamRoleStatements:
    - Effect: Allow
      Action:
        - sts:AssumeRole
      Resource:
         - arn:aws:iam::$<AccountB>:role/sample-sqs-Account-Role

trying to access that sqs through its url in my code but getting access denied.

I am quite new to aws and serverless framework, Could someone please help me with what serverless code setup I require in both interface's to give Account B sqs queue's access to account A.

I tried adding the sqs queue as resource under statement section in sqsRole, but is failing at the time of deployment with the below message:

SqsRole - Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;

1 answers

solution1
 0  2023-01-14 18:11:13

Have you checked Amazon documentation on error: https://aws.amazon.com/premiumsupport/knowledge-center/iam-principal-policy/

More importantly, I do not know your exact scenario here but I would think instead of creating a whole role in account be to be assumed to access sqs, it would be easier and probably more appropriate to simply grant necessary permissions by changing the policy on sqs (resource policy).

There are very easy to understand examples directly addressing this use-case here: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Send message from Lambda to SQS in Go Terraform to get AWS data from Account A and use it in Account B Cross account CW query from python lambda Invoke Lambda using SNS from Outside Account Deploying an AWS Lambda from a different account Cross Account Lambda calls from Step Function SQS send message error using @aws-sdk node js at AWS lambda Test sending SQS message from role in Cloud9 having send / received message permission to queue but no message received How to prevent AWS SQS from deleting a message when Lambda function triggered fails to process that message? Lambda pricing limited to account or organization?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM