Lambda trigger doesn't replicate to SQS source across accounts

浪尽此生 提交于 2021-01-29 06:12:39

问题


I'm trying to add an SQS as a source/trigger to a lambda. I can do this just fine if both components reside within the same account. When I add the trigger to the lambda, the lambda trigger configuration replicates over to the SQS queue to pair the two.

When I try this same thing on my lambda when the SQS is remote in a different account the Lambda trigger is established, but when viewing the remote SQS it doesn't show a trigger configured. This seems to result in the trigger not working on the lambda when a message is added to the queue. The SQS policy on the remote queue is also giving permissions explicitly to the other account as well.

Any thoughts?


回答1:


Scenario:

  • Amazon SQS queue in Account-A
  • AWS Lambda function in Account-B
  • Goal: SQS triggers Lambda function

Since this involves cross-account access, you will need to grant permissions for the IAM Role used by the Lambda function to access the SQS queue. (Lambda pulls from the queue, rather than SQS pushing to Lambda.)

The steps are:

  • In the SQS queue, edit the Access Policy to include permission for the IAM Role used by the Lambda function:
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-1:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:ap-southeast-2:ACCOUNT-1:queue-name"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-2:role/lambda-role-name"
      },
      "Action": [
        "SQS:ChangeMessageVisibility",
        "SQS:DeleteMessage",
        "SQS:ReceiveMessage",
        "SQS:GetQueueAttributes"
      ],
      "Resource": "arn:aws:sqs:ap-southeast-2:ACCOUNT-1:queue-name"
    }
  ]
}

The first part of this policy is automatically created by SQS and allows the owning account to use the queue. The second part allows the IAM Role from Account-2 to access the queue in Account-1. The policy was created automatically by SQS when I created the queue and provided the ARN of the IAM Role. However, I had to add SQS:GetQueueAttributes because the Lambda function calls it too.

  • In the AWS Lambda function in Account-B, click + Trigger, select SQS and enter the ARN of the SQS queue from Account-A

I tried all this and was successfully able to put a message in SQS in Account-B, and then saw Lambda process it in Account-B.



来源:https://stackoverflow.com/questions/62945101/lambda-trigger-doesnt-replicate-to-sqs-source-across-accounts

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!