Using AWS Lambda polling with external SQS

Question

I am mostly trying to figure out if what I need is even possible, if someone has pointers as to how, that would be even better.

I have an access key/secret from an organisation I work with, that grants access to an AWS SQS queue (I also have the ARN for that queue). Now I would like to use AWS lambda polling on that queue to execute a lambda function on incoming messages. I fail to figure out how to connect the external SQS with my lambda function. I can put the ARN but then the permissions are missing. I wonder if I can add the access key/secret somewhere or if that is altogether impossible and I have to implement the polling on my own?

Answer 1

Do I understand it right that the SQS is in one AWS account and your Lambda is in another?

If it's in the same account you should not use static access and secret keys for Lambda execution. The correct way is to create IAM Role with a Policy that permits SQS access and execute Lambda with that Role. The Role will give it temporary credentials every time it's executed, that's a much more secure option.

This can also be done across accounts - the Lambda IAM Role will allow it to assume a role from a different account. But that's a little more involved.

In your case, if the SQS and Lambda accounts are different you can supply the keys when opening a connection to SQS. If your Lambda is written in Python you can do something like this:

import boto3

s3_client = boto3.client('s3')    # This uses Lambda's IAM Role

sqs_client = boto3.client('sqs',  # This uses the provided SQS credentials
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
)

With that you can read from SQS using the provided credentials and write e.g. to S3 using the Lambda IAM Role.

I'm sure other SDKs (e.g. Node.JS) will have a similar capability.

Hope that helps :)