- Más nuevo
- Más votos
- Más comentarios
The IAM policy on your lambda function must not have the correct permissions. There are a few things to try:
- Can you temporary grant
sqs:*
permissions instead of just CreateQueue and test that? - Can you look at CloudTrail to see which API calls are getting denied?
If the lambda works fine when deployed using a zip file or from the console, then there is no issue with IAM permissions.
If it is not working as expected only when it is deployed as a container, then there must be some issue with the container configuration. Please make sure you have followed the steps as mentioned in this blog post - https://aws.amazon.com/blogs/aws/new-for-aws-lambda-container-image-support/
Have you tested the container locally?
Hello,
I agree with Indranil, It's probably a configuration issue in the container. My first guess would be that you have set one or more environment variables in the image:
- AWS_SECRET_ACCESS_KEY
- AWS_ACCESS_KEY_ID
- AWS_SESSION_TOKEN
- AWS_PROFILE
If you run the shell command env
, it will print all your environment variables, you can do this at the end of your docker file or when the lambda starts. You can also unset this with this command in your Dockerfile:
RUN unset AWS_ACCESS_KEY_ID; unset AWS_SECRET_ACCESS_KEY; unsetAWS_ACCESS_KEY_ID; unset AWS_PROFILE
Or that the image has a ~/.aws/... directory so that the program picks up the wrong credentials (not from your role). If this is the case, run this in your docker file:
RUN rm -rf ~/.aws
Find more info about how the boto3 client reads its credentials here: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html
Good luck!
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 2 años
Thanks everybody for your replies!
I figured out that the problem was about how the
CreateQueue
API returns the error message. Although the error was saying that I was not authorised to execute theCreateQueue
operation, the lack of authorisation was not about it but it was about theTagQueue
one.Part of the code was trying to call
which internally, it seems, calls the
TagQueue
operation. Of course, theTagQueue
operation requires thesqs:TagQueue
policy, which was not available within the role. TheCreateQueue
API response was catching the internal tag queue error, replying as something happened at that level.I hope this can help others who are running into these kind of issues.