4

On AWS we've implemented functionality that AWS lambda pushes message to AWS queue;

However during this implementation I had to manuall grant permissions to AWS lambda to add message to particular queue. And this apporach with manual clicks not so good for prod deployment.

Any suggestions how to automate process of adding permissions between AWS services (mainly lambda and SQS) and cretate "good" deployment package for prod env ?

user1459144
  • 4,439
  • 5
  • 28
  • 35

1 Answers1

2

Each Lambda function has an attached role, which you can specify permissions for in the IAM dashboard. If you give the Lambda functions' role the permission to push to an SQS queue, you're good to go. For example, attach this JSON as a custom role (see http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html):

{
  "Version": "2012-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
    {
       "Sid":"Queue1_SendMessage",
       "Effect": "Allow",
       "Principal": {
            "AWS": "111122223333"
         },
        "Action": "sqs:SendMessage",
        "Resource": "arn:aws:sqs:us-east-1:444455556666:queue1"
     }
}

You can use asterisks to give permission to multiple queues, like:

"Resource": "arn:aws:sqs:us-east-1:444455556666:production-*"

To give sendMessage permission to all queues that start with production-.

Luc Hendriks
  • 2,473
  • 13
  • 18
  • I have a lambda code in zip file. The question is how to apply this policy manually in AWS console (or it can be somehow part of deployment)? – user1459144 Feb 29 '16 at 14:44
  • You cannot create a Lambda function without a role. So either first create the role and then select it during lambda function creation or create the role while creating the Lambda function and then head to IAM to add the permission. This can be using the console or the API. – Luc Hendriks Feb 29 '16 at 15:34