I have a SQS queue and I want to trigger a lambda function when a message arrives in the queue. I have written the lambda function and that works successfully when I click the "Test" button. When I go to SQS and try to configure it as a lambda trigger I see the error message below.

I have created the SQS queue and lambda function using the same user and role and the lambda function has execute permissions against the same role.

I also have also added SQS receiveMessage permission but it doesn't seem to make a difference unless I'm doing something wrong when I set it.

What could be causing the problem?

Thanks for any help

• Hi as far as i can understand your lambda needs the following permission on it aws docs
• Hope its not in a VPC.

• Or may be give it a god mode on sqs:* just for testing it.

• If that works maybe later on you can then go for specific methods only. Attached a policy for a lambda role you might have to change account_number to your account no if you need to invoke another lambda form this lambda

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "",
               "Effect": "Allow",
               "Action": "lambda:InvokeFunction",
               "Resource": "arn:aws:lambda:eu-west-2:account_number:function:*"
           },
           {
               "Sid": "",
               "Effect": "Allow",
               "Action": [
                   "logs:PutLogEvents",
                   "logs:CreateLogStream",
                   "logs:CreateLogGroup"
               ],
               "Resource": "*"
           },
           {
               "Sid": "",
               "Effect": "Allow",
               "Action": [
                   "sqs:*"
               ],
               "Resource": "*"
           }
       ]
   }
  

Although solution for this may have been achieved by now.. but since this thread was suggested to me at the top.. i will post the answer for other users:

I faced same issue even after giving SQS full access to user. The problem is with the lambda execution role. When lambda is created, it needs to be assigned a lambda execution role. Most users assign the auto-generated execution role while creating lambda. That execution role does not have permissions for SQS.

So open lambda >> Click Permissions tab >> edit execution role at the top >> assign SQS permissions >> boom.

[edit]This is now under Configuration >> Permissions

You need following permissions attached to the role, your lambda assumes

• sqs:ReceiveMessage
• sqs:DeleteMessage
• sqs:GetQueueAttributes

In case you are using Terraform:

data "aws_iam_policy_document" "YOUR_DOCUMENT" {
  statement {
    sid       = "some_id"
    actions   = [
      "sqs:ReceiveMessage",
      "sqs:DeleteMessage",
      "sqs:GetQueueAttributes"
    ]
    resources = [
      aws_sqs_queue.YOUR_QUEUE.arn
    ]
  }
}

resource "aws_iam_policy" "YOUR_POLICY" {
  name   = "your_policy"
  policy = data.aws_iam_policy_document.YOUR_DOCUMENT.json
}

resource "aws_iam_role_policy_attachment" "POLICY_ATTACHMENT" {
  role       = aws_iam_role.YOUR_LAMBDA_ROLE.name
  policy_arn = aws_iam_policy.YOUR_POLICY.arn
}

resource "aws_lambda_function" "YOUR_LAMBDA" {
  ....
  role = aws_iam_role.YOUR_LAMBDA_ROLE.arn
  ....
}

I experienced a similar issue when trying to add an SQS trigger to my Lambda function.

An error occurred when creating the trigger: The provided execution role does not have permissions to call ReceiveMessage on SQS

The way I solved it was to simply add permissions to call ReceiveMessage on SQS in the execution role of the Lambda function.

To do this simply:

• Go to IAM in the AWS Console
• Click on roles
• Select your Lambda function execution role or create one if you don't already have
• Add the AWS managed LambdaSQSQueueExecutionRole policy to the role. The policy contains all the permissions to call the required actions on SQS from Lambda. The ARN of the policy is arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole.
• Save the role, and then try again to add the trigger. This time it will work fine.