SQS - get InvalidClientTokenId (client): The security token included in the request is invalid

[PaulMcITS]

HI all,

Hope you can help, been tearing my hair out for many an hour trying to get SQS working to process laravel queues in lambda.

Running on laravel 9, latest versions of bref, bref/laravel-bridge and bref/extra-php-extensions

I've set my serverless.yml up pretty much as per bref instructions

provider:
    name: aws
    # The AWS region in which to deploy (us-east-1 is the default)
    region: eu-west-2
    # The stage of the application, e.g. dev, production, staging… ('dev' is the default)
    stage: demo
    runtime: provided.al2
    environment:
        SQS_QUEUE: ${construct:jobs.queueUrl}

...

constructs:
    jobs:
        type: queue
        worker:
            handler: Bref\LaravelBridge\Queue\QueueHandler
            timeout: 60 # seconds
            layers:
                - ${bref:layer.php-81} # PHP
                - ${bref-extra:redis-php-81}
            vpc:
                securityGroupIds:
                    - sg-0863ce082fab0a474
                subnetIds:
                    - subnet-04b6c6a34ddb270fd


plugins:
    - ./vendor/bref/bref
    - ./vendor/bref/extra-php-extensions
    - serverless-lift

I've added the redis layer ,as the jobs will need to write to elasticache, and the subnets, as the jobs will need to read/write to a database.

Connecting to the queue locally, I can dispatch jobs fine. However, when lambda attempts to dispatch a job, I'm seeing errors of

InvalidClientTokenId (client): The security token included in the request is invalid
In the cloudwatch logs. I've even gone as far as to hardcode the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY into queues.php in case of some environment issue.

Hope someone can help.

Cheers,

Paul

[PaulMcITS]

Also tried changing the config to be more in line with the example in https://github.com/brefphp/laravel-bridge/blob/master/examples/getting-started/serverless.yml and still get the same error message ( I had to hard code into config/queue.php again to get that far)

[mnapoli]

Hi, to clarify you should not set AWS access keys in Lambda, those are already set for you. "The security token included in the request is invalid" that tells me that the credentials are invalid, so it's consistent with the theory that you uploaded credentials?

Try again without uploading AWS access keys (e.g. in .env)?

[PaulMcITS]

Hi,

Thanks very much for your response. Without those credentials I get the error 'SignatureDoesNotMatch (client): Credential should be scoped to a valid region.' (We are in eu-west-2, if I try to set the AWS_DEFAULT_REGION in the environment I get an error as it's a reserved key.)

Very grateful for any ideas on how to fix this.

[PaulMcITS]

I figured out I needed to set the SQS_PREFIX in the environment section of the provider.
Might be worth adding something to the documentation about this. Thanks for the response as it set me on the right track!

[mnapoli]

Great! Happy to know it's working!

Feel free to send a pull request to the docs!