Add aws sqs as aws lambda function trigger using serverless

2
votes

I want to add sqs (public queue of another account) as trigger point on lambda function(present in another account). I think it can be done by serverless but I am not able to add it using serverless even both sqs and lambda function exists in same account. Kindly suggest me how can I do this.

Explaining more: Public Sqs S1 is created in account: X Lambda L1 is in another account: Y

How can I add sqs S1 as a trigger point of lambda L1?

I want a command something like sns: aws sns subscribe --topic-arn Amazon SNS topic arn --protocol lambda --notification-endpoint arn:aws:lambda:us-east-1:B:function:SNS-X-Account

2
amazon-web-servicesaws-lambdaamazon-sqs

2 Answers

0
votes

You would need a SQS policy that looks something like this:

{
  "Version":"2012-10-17",
  "Id":"sqsQueuePolicy",
  "Statement":[{
      "Sid":"Allow-other-account-to-use-queue",
      "Effect":"Allow",
      "Principal":{
        "AWS":"[ACCOUNT-Y]"
      },
      "Action":"sqs:*",
      "Resource":"arn:aws:sqs:us-east-1:[ACCOUNT-X]:S1",
      "Condition": {
        "ArnEquals" : "arn:aws:lambda:[ACCOUNT-Y-REGION]:[ACCOUNT-Y]:function:L1"
      }
    }
  ]
}

The cloud formation would be something like this in account X:

sqsQueue:
  Type: 'AWS::SQS::Queue'
  Properties:
    QueueName: !Sub '${projectName}-ConsumerQueue'

policyQueueConsumer:
  Type: 'AWS::SQS::QueuePolicy'
  Properties:
    PolicyDocument:
      Id: !Sub '${projectName}-ConsumerQueuePolicy'
      Version: '2012-10-17'
      Statement:
      - Sid: 'AllowConsumerSnsToSqsPolicy'
        Effect: 'Allow'
        Principal:
          AWS: '${ACCOUNT-Y}'
        Action:
          - sqs:ChangeMessageVisibility
          - sqs:DeleteMessage
          - sqs:GetQueueAttributes
          - sqs:ReceiveMessage
          - sqs:SendMessage
        Resource: !GetAtt sqsQueue.Arn
        Condition:
          ArnEquals:
            aws:SourceArn: !Sub arn:aws:lambda:${ACCOUNT-Y-REGION}:${ACCOUNT-Y}:function:L1
    Queues:
      - !Ref sqsQueue

The cloud formation for account Y would have the trigger mapped out like so:

sqsEventTrigger:
  Type: "AWS::Lambda::EventSourceMapping"
  Properties:
    BatchSize: 5
    Enabled: true
    EventSourceArn: 'arn:aws:sqs:us-east-1:[ACCOUNT-X]:S1'
    FunctionName: 'L1'
  DependsOn:
    - queueConsumerLambda
    - queueConsumerExecutionRole

Note that your lambda would also need the same permissions defined in its execution role in account Y:

{
  "Version":"2012-10-17",
  "Id":"lambdaExecutionPolicy",
  "Statement":[{
      "Sid":"Allow-lambda-to-call-queue-in-other-account",
      "Effect":"Allow",
      "Action":"sqs:*",
      "Resource":"arn:aws:sqs:[ACCOUNT-X-REGION]:[ACCOUNT-X]:S1",
    }
  ]
}

I adapted my answer from my post here: AWS SQS Events On AWS Lambda at Financial Engines TechBlog

Take a look at AWS Documentation for more details: Advanced SQS Policies for more details.

-1
votes

There has been a recent announcement by AWS in which they make this exact use-case possible: SQS support for Lambda.

Assuming you can access all resources you should be able to link SQS and Lambda directly.