Message in flight for SQS Lambda Trigger

0
votes

I have SQS which triggers lambda.

When i put message in SQS Queue it shows message in flight and my lambda is not able to process message.

My Lambda has below permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:GetQueueUrl",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:DeleteMessageBatch",
                "sqs:ReceiveMessage",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags"
            ],
            "Resource": "*"
        }
    ]
}

ALso it has below permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:us-east-1:5722*****:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:5722****:log-group:/aws/lambda/815223_Test:*"
            ]
        }
    ]
}

When i attach "Administator access" permission permission it works and lambda gets triggered. I am not sure which permission i am missging here.My SQS queue is un-encrypted.

1
amazon-web-servicesaws-lambdaamazon-sqs
is there anything more than "console.log" your lambda function doing ?Oxi
@Oxi No It only reads message from SQSAWS_Beginner

1 Answers

0
votes

Have a look at the CloudTrail to identify the root cause for the API failure. Also check the Queue policy being used for your SQS.

You only need the below permissions for a default SQS and Lambda combination.

- "SQS:SendMessage"
- "SQS:ReceiveMessage"
- "SQS:DeleteMessage"
- "SQS:GetQueueAttributes"

Below is a sample CloudFormation template for your reference.

AWSTemplateFormatVersion: "2010-09-09"
Description: >
  Creates the SQS and Lambda pattern
Resources:
  # SQS queue and queue policy
  FileProcessingEventsQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "FileProcessingEventsQueue"
      VisibilityTimeout: 60
  FileProcessingEventsQueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      Queues:
        - !Ref FileProcessingEventsQueue
      PolicyDocument:
        Statement:
          - Action:
              - "SQS:*"
            Effect: "Allow"
            Resource: !GetAtt FileProcessingEventsQueue.Arn
            Principal:
              AWS: "*"
            Condition:
              StringEquals:
                aws:SourceAccount: !Sub "${AWS::AccountId}"
  # Lambda function and role for handling the SQS events
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: InlinePolicy
          PolicyDocument:
            Statement:
              - Action:
                  - "SQS:SendMessage"
                  - "SQS:ReceiveMessage"
                  - "SQS:DeleteMessage"
                  - "SQS:GetQueueAttributes"
                Effect: Allow
                Resource: "*"
  LambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: "Lambda for the event processing"
      Runtime: "python3.7"
      Role: !GetAtt LambdaExecutionRole.Arn
      Handler: index.handler
      MemorySize: 128
      Timeout: 60
      Code:
        ZipFile: |
          import json
          import logging

          # Configure logging

          LOGGER = logging.getLogger(__name__)
          LOGGER.setLevel(logging.DEBUG)

          def handler(event, context):
              LOGGER.debug(json.dumps(event, indent=4, default=str))
              data = {'status': 'event printed'}
              return data
  SQSAndLambdaMapping:
    Type: AWS::Lambda::EventSourceMapping
    Properties:
      EventSourceArn: !GetAtt FileProcessingEventsQueue.Arn
      FunctionName: !GetAtt LambdaFunction.Arn
Outputs:
  SQSQueue:
    Description: File processing queue
    Value: !Ref FileProcessingEventsQueue