I am trying to setup cross account communication from SQS queue to Lambda function. Both these resources are on eu-central-1
region but in 2 different AWS accounts.
My setup is below
ACCOUNT_A
has the Lambda function
ACCOUNT_B
has the SQS queue
I have created IAM role on Account A and it is attached to Lambda function (ACCOUNT_A_LAMBDA_EXECUTION_ROLE). IAM role has attached AWSLambdaSQSQueueExecutionRole
managed permission
SQS Queue on ACCOUNT_B
has following access policy
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_B:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-central-1:ACCOUNT_B:"
},
{
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_A:role/LAMBDA_EXECUTION_ROLE"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage",
"SQS:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:eu-central-1:ACCOUNT_B:"
}
]
}
I am using AWS CLI to add Lambda trigger, so that ACCOUNT_B_SQS_QUEUE can be added as a trigger to ACCOUNT_A_LAMBDA_FUNCTION. Following is the AWS CLI command
aws lambda create-event-source-mapping --function-name ACCOUNT_A_LAMBDA_FUNCTION --event-source-arn ACCOUNT_B_SQS_QUEUE-arn --profile ACCOUNT_A-aws-profile --region eu-central-1
But this command failed with an error
An error occurred (InvalidParameterValueException) when calling the CreateEventSourceMapping operation: The provided execution role does not have permissions to call ReceiveMessage on SQS
I try to manually add the Lambda trigger as well. It also fails. Appriciate if you can help me with this
Thanks. It worked