Member-only story
Accessing a Cross-Account Amazon SQS Queue Using AWS Lambda
This post will show you how Lambda functions can consume messages from an SQS queue in a different AWS account.
Use Case
We have an application running in a few environments such as DEV, UAT, and PROD. This application has an Amazon SQS queue for publishing order information of customers. Let’s say our DEV application wants to consume some messages from the UAT SQS queue for troubleshooting an issue with order information.
Prerequisites
- Need two AWS accounts
- Installed AWS CLI on your computer (ref)
- Configured AWS CLI with your credentials (ref)
Steps
- Create a Lambda execution role in the DEV account
- Create a Lambda function in the DEV account
- Create an SQS queue in the UAT account
- Adding an event source mapping to the Lambda function
- Testing
Create a Lambda Execution Role in the DEV Account
First of all, we need to create an IAM role that allows our Lambda function to read messages from SQS. The following command creates a role with AWS Lambda as a trusted entity.
aws iam create-role --role-name cross-account-lambda-sqs-role --assume-role-policy-document file://trust-policy.jsontrust-policy.json
Next, we need to assign permissions for the Lambda execution role that we created before. We can use AWSLambdaSQSQueueExecutionRole managed policy document that provides required permissions for reading data from SQS.
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole --role-name cross-account-lambda-sqs-role
