jeremydaly/serverless-cloudside-plugin

AccessDenied: Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.

Closed this issue ยท 3 comments

mapsi commented

Help me Jeremy Jeremy, you're my only hope. ๐Ÿค“

Thank you for building this plugin for us.

I've been trying to get a Lambda to 'sqs:SendMessage'.
So I have deployed the stack successfully and I run sls offline cloudside --stage=prod --aws-profile=prod.

When I post to the handler to send the message to the queue, I've debugged and I can see the url fine in the form of "https://sqs.eu-west-1.amazonaws.com/0000000000000/sls-prod-myQueue".

But when I run await sqs.sendMessage(params).promise(); in my handler, I get this...

{
  "message": "Access to the resource https://sqs.eu-west-1.amazonaws.com/ is denied.",
  "code": "AccessDenied",
  "time": "2019-07-17T16:44:08.059Z",
  "requestId": "c9f0405b-1901-57f2-a692-15f24b967222",
  "statusCode": 403,
  "retryable": false,
  "retryDelay": 22.371497804991503
}

The iamRoleStatements is correct as the Lambda runs fine when deployed.

Before I started using the cloudside plugin, I used to have everything set up locally, which is really "not elegant". I'd love to use this plugin, but I dread I'm doing something really wrong... ๐Ÿ˜•

Thank you so much in advance!

mapsi commented

I also checked my sls deploy role and it has full access to SQS actions and all resources - I was hoping that it wouldn't.

Hi @mapsi,

Glad you're finding the plugin useful. This sounds like the profile you're using locally doesn't have access to SQS. I'm assuming this is what you mean by your "deploy" role?

  • Jeremy
mapsi commented

@jeremydaly you're absolutely right.

I started a clean example and indeed sls invoke cloudside and sls offline cloudside work a treat.

I need to brush up on my IAM skills as it seems.

Looking forward to the SAGA pattern blog post. ๐Ÿฅณ

Angel