Queue: AccessDenied to resource https://sqs.us-east-1.amazonaws.com

[raiseandfall]

Description

After deploying, sending a message always throws an access denied error (error: AccessDenied: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied):

Full error:

{ value: { error: AccessDenied: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied. at Request.extractError (/opt/nodejs/node_modules/aws-sdk/lib/protocol/query.js:50:29) at Request.callListeners (/opt/nodejs/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/opt/nodejs/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/opt/nodejs/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/opt/nodejs/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/opt/nodejs/node_modules/aws-sdk/lib/state_machine.js:14:12) at /opt/nodejs/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/opt/nodejs/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/opt/nodejs/node_modules/aws-sdk/lib/request.js:688:12) at Request.callListeners (/opt/nodejs/node_modules/aws-sdk/lib/sequential_executor.js:116:18) { code: 'AccessDenied', time: 2022-06-28T16:37:44.889Z, requestId: '09a7e81d-722b-56b8-8601-b32842b3e67a', statusCode: 403, retryable: false, retryDelay: 91.4007833446157 } } } 

How to Reproduce

serverless.yml

functions:
  - ${file(./src/handlers/handlers.yml)}
 
constructs:
  queueTest:
    type: queue
    fifo: true
    worker:
      handler: ./src/handlers/processQueueHandler.processQueueHandler

handlers.yml

publisherHandler:
  handler: src/handlers/handlers/publisherHandler.publisherHandler
  iamRoleStatements:
    - Effect: 'Allow'
      Action:
        - 'lambda:InvokeFunction'
        - 'lambda:InvokeAsync'
      Resource: 'arn:aws:lambda:us-east-1:xxxxxxxxxxxxx:function:some-function'
  environment:
    QUEUE_URL: ${construct:assetsToAddQueueStaging.queueUrl}
  events:
    - httpApi:
        path: /api/publishToQueue
        method: post

Please note that publisherHandler also invoke another lambda, thus the iam role there

publisherHandler.ts

const sqs = new SQS({
    apiVersion: 'latest',
    region: process.env.AWS_REGION
});

await sqs.sendMessage({
  QueueUrl: process.env.QUEUE_URL,
  MessageBody: JSON.stringify({
    key: 'value'
  })
}).promise();

Additional Information

• Serverless 3.17.0
• Serverless-lift 1.19.0
• QueueUrl has the right value in the publisher handler
• I did not set any specific IAM permissions since the doc didn't say so
• when looking at my publisher lambda Permissions, only the one I specifically set shows up. There is no SQS permission.

There is obviously a permission issue, but I can't figure out what.

[raiseandfall]

I ended up setting the IAM Role Statement directly on the publish handler definition:

publisherHandler:
  handler: src/handlers/handlers/publisherHandler.publisherHandler
  iamRoleStatements:
    - Effect: 'Allow'
      Action:
        - 'sqs:SendMessage'
      Resource: ${construct:queueTest.queueUrl}

First I thought that my existing IAM Role Statement on the publish handler was overwriting the SQS one, but even when commenting out the whole iamRoleStatements block I'm still getting the AccessDenied issue.
It's working now, but it would be interested to figure out why the permission are not set automatically, as specified in the doc.