Reputation: 124
AWS Lambda SQS Trigger Assume role
I have been given a task to consume messages from an SQS queue from an external company which returns me a bucket and key from which I am to copy a file. This external company has set up a role that I can assume that gives me access to the SQS queue and the S3 bucket, but I have a problem. How do I assume that external role for my Lambda trigger? Is this even possible?
Upvotes: 0
Views: 701
Answers (1)
Reputation: 1461
You'll assume the role in your Lambda and then interact with the external AWS account using temporary credentials.
Example with python.
import boto3
sts = boto3.client('sts')
role = sts.assume_role(
RoleArn="arn:aws:iam::EXTERNAL_COMPANY_ACCOUND_ID:role/EXTERNAL_COMPANY_ROLE",
ExternalId="EXTERNAL_ID_CONFIGURED",
RoleSessionName="RoleSessionNameYouWant")
credentials = role['Credentials']
# Interact with resoures from the external company account
external_session = boto3.Session(
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'])
s3 = external_session.client('s3'),
sqs = external_session.client('sqs')
An external ID is optional but important when roles are given to third-parties to avoid the confused deputy problem. Ask the third-party to configure an external id for your role if that wasn't done.
Upvotes: 2
Related Questions
- AWS Lambda SQS Trigger not firing after queue recreation
- AWS SQS Lambda Trigger and Concurrency
- Trigger Lambda Manually to read from SQS
- Lambda trigger doesn't replicate to SQS source across accounts
- Add SQS Trigger to Lambda Using SDK
- AWS Lambda integration with SQS
- How to allow both account and all Lambdas to assume a role?
- AWS Lambda SQS Trigger
- Is there a way to trigger AWS lambda by another lambda and SQS?
- Adding SQS as Trigger to Lambda (through management console)