This message was deleted.
# generals
sparse-intern-71089
05/17/2021, 10:45 AMThis message was deleted.
p
proud-spoon-58287
05/17/2021, 10:47 AMhere the relevant code:
proud-spoon-58287
05/17/2021, 10:47 AM Copy code
console.log(' - creating global IAM Role for data feed Lambda functions')
const lambdaRole = new aws.iam.Role('iamr-data-feed-lambda', {
assumeRolePolicy: `{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
},
"Effect": "Allow"
}
]
}`
})
console.log(' - attaching AWSLambda_FullAccess managed policy to Lambda role')
// eslint-disable-next-line no-new
new aws.iam.RolePolicyAttachment('iamrpa-data-feed-lambda-role-lambda-access-policy', {
role: lambdaRole.name,
policyArn: 'arn:aws:iam::aws:policy/AWSLambda_FullAccess'
})
console.log(' - attaching AWSLambdaVPCAccessExecutionRole managed policy to Lambda role')
// eslint-disable-next-line no-new
new aws.iam.RolePolicyAttachment('iamrpa-data-feed-lambda-role-vpc-access-policy', {
role: lambdaRole.name,
policyArn: 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
})
console.log(' - attaching AWSLambdaSQSQueueExecutionRole managed policy to Lambda role')
// eslint-disable-next-line no-new
new aws.iam.RolePolicyAttachment('iamrpa-data-feed-lambda-role-sqs-queue-policy', {
role: lambdaRole.name,
policyArn: 'arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole'
})proud-spoon-58287
05/17/2021, 10:47 AManyone that could help?
proud-spoon-58287
05/17/2021, 10:47 AMI am stuck there
proud-spoon-58287
05/17/2021, 11:13 AM?
proud-spoon-58287
05/17/2021, 11:13 AMam I missing something here
proud-spoon-58287
05/17/2021, 11:43 AManyone? 🙂
g
gorgeous-country-43026
05/17/2021, 12:30 PMAWSLambdaSQSQueueExecutionRole – Permission to read a message from an Amazon Simple Queue Service (Amazon SQS) queue.
gorgeous-country-43026
05/17/2021, 12:30 PMIt says read, not write
gorgeous-country-43026
05/17/2021, 12:30 PMYou are sending a message thus you are writing
gorgeous-country-43026
05/17/2021, 12:31 PMAlso if you are consuming SQS then you'll need write permissions
gorgeous-country-43026
05/17/2021, 12:32 PMJust reading doesn't need it but that would be pretty pointless with SQS, you'll want to also update it and thus write permissions are required
gorgeous-country-43026
05/17/2021, 12:33 PMYour issue is not Pulumi specific but AWS specific and AWS IAM specific to be more exact
p
proud-spoon-58287
05/17/2021, 12:42 PMta! 🙂
proud-spoon-58287
05/17/2021, 1:05 PMis there a AWS managed policy I can use to write?
proud-spoon-58287
05/17/2021, 1:43 PM Copy code
const sqsLambdaRole = new aws.iam.Policy('policy', {
path: '/',
description: 'SQSLambdaRole',
policy: JSON.stringify({
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: [
'sqs:DeleteMessage',
'logs:CreateLogStream',
'sqs:ReceiveMessage',
'sqs:SendMessage',
'sqs:SendMessageBatch',
'sqs:GetQueueAttributes',
'logs:CreateLogGroup',
'logs:PutLogEvents'
],
Resource: '*'
}
]
})
})proud-spoon-58287
05/17/2021, 1:43 PMI have created this
proud-spoon-58287
05/17/2021, 1:43 PMbut I got the same error
g
gorgeous-country-43026
05/18/2021, 5:15 AMI suggest you try
'sqs:*'p
proud-spoon-58287
05/18/2021, 7:00 AMsure, thanks!
proud-spoon-58287
05/18/2021, 9:36 AMno luck even with that
33 Views