Cross-account access to invoke AWS lambda in CDK

Question

This is how I am granting an external AWS account invoke permissions on my lambda.

    myLambda.grantInvoke(new iam.AccountPrincipal('account_id_b'));

Ran cdk deploy

Resource-based policy has the following json as seen in the console

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "generated_Sid",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::account_id_b:root"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "my_lambda_arn"
    }
  ]
}

I followed steps here https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-cross-account-lambda-integrations.html to create API gateway that can call this lambda from account_id_b account.

Testing API gateway from account_id_b results in following logs:

Fri Mar 06 03:00:07 UTC 2020 : Execution failed due to configuration error: Invalid permissions on Lambda function
Fri Mar 06 03:00:07 UTC 2020 : Method completed with status: 500

What additionally do I need to do to set this up properly?

Answer 1

The policy should have the following form:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "what-ever-sid",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "my_lambda_arn",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "api_gateway_arn"
        }
      }
    }
  ]
}

Basically here you give the permissions to api gateway service to call your function. The api can be in different account than your function.

For testing and simplicity you can get rid of Condition.

Hope this helps.