I am trying to setup cross account communication from SQS queue to Lambda function. Both these resources are on eu-central-1 region but in 2 different AWS accounts.
My setup is below
AccountAhas the Lambda functionAccountBhas the SQS queue
I have created IAM role on Account A and it is attached to Lambda function (AccountA_LAMBDA_EXECUTION_ROLE). IAM role has following permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ChangeMessageVisibility",
"sqs:PurgeQueue",
"sqs:ReceiveMessage",
"sqs:DeleteQueue",
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:CreateQueue",
"sqs:SetQueueAttributes"
],
"Resource": "<AccountB_SQS_QUEUE_ARN>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sqs:ListQueues",
"Resource": "*"
}
]
}
SQS Queue has following access policy
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [
{
"Sid": "Queue1_AllActions",
"Effect": "Allow",
"Principal": {
"AWS": "<AccountA_LAMBDA_EXECUTION_ROLE>"
},
"Action": "sqs:*",
"Resource": "<AccountB_SQS_QUEUE_ARN>"
}
]
}
I am using AWS CLI to add Lambda trigger, so that AccountB_SQS_QUEUE can be added as a trigger to AccountA_LAMBDA_FUNCTION. Following is the AWS CLI command
aws lambda create-event-source-mapping --function-name AccountA_LAMBDA_FUNCTION_NAME --event-source-arn AccountB_SQS_QUEUE_ARN --profile AccountA_PROFILE --region eu-central-1
But this command failed with an error
An error occurred (InvalidParameterValueException) when calling the CreateEventSourceMapping operation: The provided execution role does not have permissions to call ReceiveMessage on SQS
I am following this tutorial from AWS, but it is not success. What went wrong here
