How to Configure AWS Lambda to assume a role from different account ?
AWS Lambda functions are most widely used by the users for cluster scaling logic, maintaining event Integrations and managing runtimes. It is also used to extend the existing AWS services with custom logic.
AWS Lambda Functions are very easy to create and use. It supports a wide range of popular programming languages like Python 2/3, Node JS, Java, Go, Ruby e.t.c.,.
Saying that, It takes some complex but well-defined configuration to manage/integrate AWS services from a different account using Lambda Functions. This Post will explain the different steps that are involved to achieve this.
Let’s assume you have two AWS accounts A and B, You want create a Lambda function in Account A that can fetch the list of S3 Buckets available in Account B.
- Create a Role in account A that will be used by your AWS Lambda function.
- Create a Role in account B with a role type of Role for Cross-Account Access. Assign the desired permissions to List S3 Buckets in account B. Also add permissions for the Role in account A to call AssumeRole on this role. AssumeRole permissions can be found under STS policy.
- Modify the trust policy of the assumed role in account B to the following:
Note: Replace ********* with the AWS account ID of account A. Replace my-lambda-execution-role with the name of the execution role.
4. Create a Lambda function in account A that can then call AssumeRole on the role in account B. This will return a set of temporary credentials that can be used to access S3 buckets in account B.
Example reference from official AWS document.
Thanks for Reading, Hope you found this useful :)