Reputation: 117
AWS invoke cross account lambda via Cloudwatch Event Bus
I have a AWS lambda function deployed in multiple accounts. I'm looking for a way to schedule to trigger these lambda function from master account via Cloudwatch Event Bus. Is this possible?
Upvotes: 0
Views: 3787
Answers (2)
Reputation: 4444
In line with what @amitd is suggesting you need to implement something like this (Using EventBridge , EventBus).
To configure cross-account event bridge communication following needs to be done. I am providing sample events and filters, you can replace the event and filters as per requirement.
Steps to be performed on Account B: Receiver account
- Create an event bus named event-bus-b. Put the resource-based policy as shown below.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "WebStoreCrossAccountPublish",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-A>:root"
},
"Action": "events:PutEvents",
"Resource": "arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b"
}]
}
Create a rule in account B let's calls it eb-rule-b. In this Rule select event-bus-b as a source event bus.
Provision following event filter pattern:
Event pattern:
{
"detail-type": [
"uoe"
],
"source": [
"somesource"
]
}
Also, test the pattern using the test event.
Test Event:
{
"version": "0",
"id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
"detail-type": "uoe",
"source": "somesource",
"account": "<ACCOUNT_ID>",
"time": "2020-04-24T13:53:21Z",
"region": "<YOUR_REGION>",
"resources": [],
"detail": {
"userOrg" : "OrgName"
}
}
Select the event bus event-bus-b in the drop-down.
Select the target "Lambda"
Put the ARN of the event bus which you have created in Account B.
arn:aws:lambda:<your-region>:<AccountB>:function:<AccountBLambda>
Also check on the check box "Create a new role for this specific resource". This will create a role in account A which enables lambda execution.
Click on create and create the rule.
Now click on the event bus event-bus-a and click on Send events button.
Send a dummy event as shown below and validate that the communication between event bus and the lambda in account B is all ok.
If you face some issue in this plumbing refer to :https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-troubleshooting.html#eb-lam-function-not-invoked
Once we are good in Account B ( i.e we are able to invoke the lambda by sending events on the event bus, configure other accounts by following the same steps.
Steps to be performed on Account A: Sender account
Create an event bus event-bus-a in account A.
Create a rule eb-rule-a in account A with the following details:
Event pattern:
{
"detail-type": [
"uoe"
],
"source": [
"somesource"
]
}
Also, test the pattern using the test event.
Test Event:
{
"version": "0",
"id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
"detail-type": "uoe",
"source": "somesource",
"account": "<ACCOUNT_ID>",
"time": "2020-04-24T13:53:21Z",
"region": "<YOUR_REGION>",
"resources": [],
"detail": {
"userOrg" : "OrgName"
}
}
Select the event bus event-bus-a in the drop-down.
Select the target "Event bus in different account or Region"
Put the ARN of the event bus which you have created in Account B.
arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b
- Also check on the check box "Create a new role for this specific resource". This will create a role in account A which enables the users in account A to publish on account b event bus. The below policy is auto-created and you don't need to do anything.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:PutEvents"
],
"Resource": [
arn:aws:events:<your-region>:<Account-B>:event-bus/event-bus-b
]
}
]
}
Click on create and create the rule.
Now click on the event bus event-bus-a and click on Send events button.
Provide details and click on send.
Sample event:
{
"version": "0",
"id": "55fghj-89a9-a0b3-1ccb-79c25c7d6cd2",
"detail-type": "uoe",
"source": "somesource",
"account": "<ACCOUNT_ID>",
"time": "2020-04-24T13:53:21Z",
"region": "<YOUR_REGION>",
"resources": [],
"detail": {
"userOrg" : "OrgName"
}
}
Event will propagate to the event bus defined in account B.
Repete from steps 4- 10 for all other accounts ( i.e create multiple targets in the same rule).
Once configured a single event in Account A will propagates to multiple accounts and you will achieve the necessary fanning.
Upvotes: 4
Reputation: 1532
Please refer following options and related documentation from AWS;
- Using CloudWatchEvents:
a. Sending and Receiving Events Between AWS Accounts
b. Cross-Account Delivery of CloudWatch Events
OR
- Using Amazon EventBridge:
a. Simplifying cross-account access with Amazon EventBridge
b. Sending and recieving Amazon EventBridge events between AWS accounts
Upvotes: 2
Related Questions
- How to pass parameters from an AWS event to a lambda?
- How to send a CloudWatchEvent from a lambda to an EventBridge destination
- Cross account AWS event bridge
- AWS Event Bridge Lambda invocation
- AWS EventBridge Exception Cross Account Event Put
- Invoking lambda with CloudWatch events across regions
- AWS Eventbridge Event not triggering Lambda function
- cloudwatch event in aws lambda function not work in my aws educate account
- AWS CloudWatch Events Do not Trigger Lambda Function
- Call concurrent instances of AWS lambda on Cloud watch event rule