https://pulumi.com logo
Title
p

proud-spoon-58287

05/17/2021, 10:45 AM
Hi all, I am having the following error:
aws:lambda:Function (data-feed-property-data-fetcher):
    error: 1 error occurred:
        * error creating Lambda Function (1): InvalidParameterValueException: The provided execution role does not have permissions to call SendMessage on SQS
    {
      RespMetadata: {
        StatusCode: 400,
        RequestID: "1ca54399-576d-40bc-829a-c2c31790fd72"
      },
      Message_: "The provided execution role does not have permissions to call SendMessage on SQS",
      Type: "User"
    }
as per AWS docs, I have attached the following policy:
arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole'
but I got the same error. I am using the latest version of pulumi and aws in node.
here the relevant code:
console.log('  - creating global IAM Role for data feed Lambda functions')

  const lambdaRole = new aws.iam.Role('iamr-data-feed-lambda', {
    assumeRolePolicy: `{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Principal": {
            "Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
          },
          "Effect": "Allow"
        }
      ]
    }`
  })

  console.log('  - attaching AWSLambda_FullAccess managed policy to Lambda role')

  // eslint-disable-next-line no-new
  new aws.iam.RolePolicyAttachment('iamrpa-data-feed-lambda-role-lambda-access-policy', {
    role: lambdaRole.name,
    policyArn: 'arn:aws:iam::aws:policy/AWSLambda_FullAccess'
  })

  console.log('  - attaching AWSLambdaVPCAccessExecutionRole managed policy to Lambda role')

  // eslint-disable-next-line no-new
  new aws.iam.RolePolicyAttachment('iamrpa-data-feed-lambda-role-vpc-access-policy', {
    role: lambdaRole.name,
    policyArn: 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
  })

  console.log('  - attaching AWSLambdaSQSQueueExecutionRole managed policy to Lambda role')

  // eslint-disable-next-line no-new
  new aws.iam.RolePolicyAttachment('iamrpa-data-feed-lambda-role-sqs-queue-policy', {
    role: lambdaRole.name,
    policyArn: 'arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole'
  })
anyone that could help?
I am stuck there
?
am I missing something here
anyone? 🙂
g

gorgeous-country-43026

05/17/2021, 12:30 PM
AWSLambdaSQSQueueExecutionRole – Permission to read a message from an Amazon Simple Queue Service (Amazon SQS) queue.
It says read, not write
You are sending a message thus you are writing
Also if you are consuming SQS then you'll need write permissions
Just reading doesn't need it but that would be pretty pointless with SQS, you'll want to also update it and thus write permissions are required
Your issue is not Pulumi specific but AWS specific and AWS IAM specific to be more exact
p

proud-spoon-58287

05/17/2021, 12:42 PM
ta! 🙂
is there a AWS managed policy I can use to write?
const sqsLambdaRole = new aws.iam.Policy('policy', {
    path: '/',
    description: 'SQSLambdaRole',
    policy: JSON.stringify({
      Version: '2012-10-17',
      Statement: [
        {
          Effect: 'Allow',
          Action: [
            'sqs:DeleteMessage',
            'logs:CreateLogStream',
            'sqs:ReceiveMessage',
            'sqs:SendMessage',
            'sqs:SendMessageBatch',
            'sqs:GetQueueAttributes',
            'logs:CreateLogGroup',
            'logs:PutLogEvents'
          ],
          Resource: '*'
        }
      ]
    })
  })
I have created this
but I got the same error
g

gorgeous-country-43026

05/18/2021, 5:15 AM
I suggest you try
'sqs:*'
and see if it works after that. AWS IAM permissions are pain in the ass in general.
p

proud-spoon-58287

05/18/2021, 7:00 AM
sure, thanks!
no luck even with that