Reputation: 4463
Is it a possible to call a lambda in different account from the cloudformation one?
I have a lambda on one account with this policy attached:
{
"Sid": "Id-123",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::115333656057:root"},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:260143830488:function:CentralInstanceScheduler-InstanceSchedulerMain"
}
When I create a stack from account 115333656057 with my user trying to execute the lambda I got this error:
User: arn:aws:iam::115333656057:user/uguesm is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-central-1:260143830488:function:CentralizedInstanceScheduler-InstanceSchedulerMain
What am I doing wrong?
Upvotes: 8
Views: 21725
Answers (2)
Reputation: 11996
You can do it with a Lambda resource-based policy. This is a policy that exists directly on the Lambda. Doing it with a resource-based policy avoids needing to create additional roles and using STS::AssumeRole.
In CDK, it looks like this:
account = 123456789012
lambda_.CfnPermission(
scope,
f"XAccountInvocation{account}",
action="lambda:InvokeFunction",
function_name=handler.function_name,
principal=f"arn:aws:iam::{account}:root",
)
Upvotes: 3
Reputation: 5897
In Account 260143830488 - Edit your Role to add the policy to InvokeFunction and a trust policy for another account.
Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:260143830488:function:CentralInstanceScheduler-InstanceSchedulerMain"
},
]
}
Trust Relationship Policy:
{
"Sid": "Id-123",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::115333656057:role/<lambda-role>"},
"Action": "sts:AssumeRole",
}
In Account 115333656057 - Create a lambda execution role to AssumeRole
Permissions:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::260143830488:role/<RoleName>"
}
}
Trust Relationship policy:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "lambda.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
Upvotes: 11
Related Questions
- Is there a way to create aws lambda execution role with cloudformation?
- CloudFormation template - Using existing IAM role in for Lambda functions
- How can I grant permission to API Gateway to invoke lambda functions through CloudFormation?
- Using existing IAM role when creating AWS Lambda Function
- How do I correctly call a lambda function in another account from a lambda?
- AWS CloudFormation: How to specify a bucket from another AWS account for Lambda code?
- CloudFormation change set User not authorized
- Setting up Lambda to Create AWS CloudFormation without IAM Policy
- Failure to invoke Lambda cross-account for creating a Lambda-backed custom resource
- Managing Lambda handler Credentials in Cloudformation