Reputation: 195
How to invoke AWS Lambda function in account B (this Lambda in VPC) from Lambda in account A (Lambda in VPC)
What I did:
- I created a VPC Peering connection between these accounts
- Internet Gateways also attached to each VPC
- Route Tables also configured (to allow traffic from both sides)
Case 1:
I successfully tested invoking Lambda function (in VPC B) from another Lambda function (in VPC A) when these 2 VPCs are in same account.
However, when I created a similar VPC (as VPC B) in another account (account B) I got the following error:
"errorMessage": "An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:sts::Account-A:assumed-role/role-for-vpc-peering-test/lambda1_in_vpc is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:Account-B:function:lambda-vpc
My trails:
I created a cross-account IAM Role for account A in account B with the following permissions:
Then I added an inline policy for the role which is using Lambda in account A:
Added policy to above role only:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account B:role/role-for-Account-A"
}
}
So my questions is should I do anything else to invoke Lambda in account B from Lambda in account A?
I think I am missing something in the cross-account role only (access denied error).
lambda- A code:
import json import boto3
client = boto3.client('lambda')
def lambda_handler(event, context): inputForInvoker = {'CustomerId': '123', 'Amount': 50 }
response = client.invoke(
FunctionName='arn:aws:lambda:us-east-1:AccountB-id:function:lambda-vpc-peering',
InvocationType='RequestResponse', # Event
Payload=json.dumps(inputForInvoker)
)
responseJson = json.load(response['Payload'])
print('\n')
print(responseJson)
print('\n')
Any suggestions?
Assume role- in Account b is : have following Policies : 1. AWSLambdaBasicExecutionRole 2.trust-policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-id-A:role/role-for-vpc-peering-test"
},
"Action": "sts:AssumeRole"
}
]
}.
execution role - attached this inline policy :
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account-b-id:role/role-for-7691-4701-2358"
}
}
and updated my lambda function with below mention code also.
but still getting same error
now lambdas are not in vpc.
Upvotes: 2
Views: 3330
Answers (1)
Reputation: 238727
General steps required for assuming a role in Account A to do something in Account B (e.g. invoke lambda function in B) are listed in the following AWS blog:
The important thing to note is that the lambda function in Account A has to assume role in Account B. The assumable role must allow execution role of function A to invoke function in B.
I modified your code for lambda in Account A, based on the example from the above link.
The key elements to focus are:
- sts = boto3.client('sts')
- account_b = sts.assume_role(...)
- account_b_client = boto3.client(...)
Assuming that all your roles are correctly set, your code should look something like blow. Obviously you have to adjust it exactly to your needs, but it should give you general idea of what to do in your lambda in Account A.
import json
import boto3
client = boto3.client('lambda')
sts = boto3.client('sts')
def lambda_handler(event, context):
inputForInvoker = {'CustomerId': '123', 'Amount': 50 }
account_b = sts.assume_role(
RoleArn="<arn-of-assumbale-role-in-acccount-b>",
RoleSessionName="cross_acct_lambda"
)
ACCESS_KEY = account_b['Credentials']['AccessKeyId']
SECRET_KEY = account_b['Credentials']['SecretAccessKey']
SESSION_TOKEN = account_b['Credentials']['SessionToken']
# create service client using the assumed role credentials
# from account B
account_b_client = boto3.client(
'lambda',
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
aws_session_token=SESSION_TOKEN)
response = account_b_client.invoke(FunctionName='arn:aws:lambda:us-east-1:AccountB-id:function:lambda-vpc-peering', InvocationType='RequestResponse')
responseJson = json.load(response['Payload'])
print('\n') print(responseJson) print('\n')
p.s.
- I created a VPC Peering connection between these accounts
This is not needed. Invocation of function B from function A will go over internet anyway. So if you don't use the peering connection for anything other, that its not used for the lambdas.
Upvotes: 2
Related Questions
- Invoking a Lambda function from another Lambda Function Inside of a VPC
- AWS call Lambda inside VPC to another Lambda in another VPC
- AWS Lambda function via Function URL invoke only within VPC
- AWS Lambda function can't invoke another Lambda function in the same VPC
- Enable lambda to access resources in a cross account VPC
- Is there a way that invoke a AWS Lambda function between different VPC?
- How to call an aws java lambda function from another AWS Java Lambda function when both are in same account, same region
- Amazon S3 triggering another a Lambda function in another account
- Invoke aws lambda from aws lambda in same vpc
- aws lambda: invoke function via other lambda function