Cross Account AWS Lambda with IAM credentials

Question

I have a cross account IAM question about running in a Lambda function. (I know people may use STS assume, but this package really isn't worth protecting, and I don't want to go through linking the accounts)

Account “A”.

S3 – package “s3://foo/foo”

IAM credentials “pkg_creds” for bucket "s3://foo" 

Account “B”

Lamba function “gogo” runs

In this Lambda function, it attempts to use boto3 and the pkg_creds to
download package “s3://foo/foo”, but if fails with this error:

 **The provided token is malformed or otherwise invalid.**

Lambda is read only, but I believe boto3 will not write credentials to ~/.aws if I'm using boto3.client (not session). However, I also set the AWS_CONFIG_FILE to /tmp just in case. It still fails. I suspect what I'm proposing isn't possible because LAMBDA has immutable AWS credentials, where you can't change scopes, even one that is explicitly given to boto3.

Let me know your thoughts. I may try do the job with Faragate, but Lambda function is easier to maintain and deploy.

Thanks in advance!

Answer 1

after troubleshooting more. the issue was that i was took in the "environmental variable" SESSION which is set on the lambda function, but not on my ec2 instance. so i was always using the lambda session key that seems to overide the explicit key and secret.

Answer 2

User error. I can verify boto3 in a lambda function can use credentials outside of its scope.

Answer 3

Lambda isn't using a ~/.aws config file at all, it is using environment variables by default. There are many ways to configure AWS credentials in boto3. You should be able to create a new boto3 client in your Lambda function with explicit AWS credentials like so:

client = boto3.client(
    's3',
    aws_access_key_id=ACCOUNT_A_ACCESS_KEY,
    aws_secret_access_key=ACCOUNT_A_SECRET_KEY
)

And pass ACCOUNT_A_ACCESS_KEY and ACCOUNT_A_SECRET_KEY as environment variables to the function.