Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Amazon S3 triggering another a Lambda function in another account

I want to run a lambda in Account B when any object comes into Account A S3 bucket.

But I heard that we can access Lambda from the same account S3 only, for cross-account S3 Lambda access I must run Lambda within same account and make another trigger which runs another account Lambda:

  1. S3(Account A)--> Lambda(Account B)- not possible
  2. S3(Account A)--> Lambda(Account A)-->Lambda(Account B)- Possible

Can someone help me which option is possible? If so how?

like image 447
sandeep Avatar asked Aug 01 '17 18:08

sandeep


People also ask

Does Lambda work cross-account?

Finally, we use cross-account Lambda integration to allow the example API to use the Lambda function we created in the second account.

Can S3 trigger multiple lambdas?

But currently the S3 event doesn't support multiple lambda trigger.

How do you trigger one lambda from another Lambda?

Setting up the Policy for ParentFunction. In order to allow the ParentFunction to call the ChildFunction, we need to provide the ParentFunction with specific rights to call another lambda function. This can be done by adding specific policies to a role and then assign that role to the lambda function.


3 Answers

@John's Solution works but there are certain steps I would like to add to his answer.

  • The S3 bucket and the Lambda need to be in the same region. For example, both should be created in us-east-1 region. Different regions would throw an error as below:

The notification destination service region is not valid for the bucket location constraint

Below is the Steps I followed to create the trigger:

Account-A.S3-bucket -> Account-B.Lambda-function
  1. From Terminal, switch to Account-B's AWS profile where the Lambda would reside
  2. Run the below command, change the parameters for your case:

    aws lambda add-permission \ --region {Account-B.Lambda region Eg. us-east-1} \ --function-name {Account-B.Lambda name} \ --statement-id 1 \ --principal s3.amazonaws.com \ --action lambda:InvokeFunction \ --source-arn arn:aws:s3:::{Account-A.S3 name} \ --source-account {Account-A.account-id} \ --profile {Account-B.profile-name}

You might get statement-id exists error, increment statement-id and re-run command again in this case.

  1. Go to Account-A's S3 bucket and under Properties's tab > under Events
  2. Select Add Notification
  3. Add the following fields:

    Name: ObjectCreation Events: ObjectCreate (All) Send to: Lambda function Lambda: Add Lambda function ARN Lambda function ARN: your-lambda-arn

Note: The Lambda function might still show an error but new objects added in the S3 bucket trigger the lambda and print(event) logs appear in Cloudwatch logs.

like image 121
Vaulstein Avatar answered Sep 24 '22 18:09

Vaulstein


I managed to successfully trigger an AWS Lambda function in Account B from an upload to an Amazon S3 bucket in Account A.

Account-A.S3-bucket -> Account-B.Lambda-function

Here's what I did:

  • Created the Amazon S3 bucket in Account A
  • Created the Lambda function in Account B
  • Added a Resource-Based Policy for AWS Lambda to the Lambda function via the AWS Command-Line Interface (CLI) that allowed the S3 bucket to call lambda:InvokeFunction on the Lambda function
  • Added a Bucket Policy to the S3 bucket to permit GetObject access from anywhere (this should be locked-down further, but was sufficient for the experiment)
  • Configured an Event for ObjectCreate (All) on the S3 bucket, referencing the Lambda function via its ARN
  • Uploaded a file to the Account-A.S3-bucket
  • The Account-B.Lambda-function was successfully triggered

I then repeated the experiment with the bucket in a different region and it failed, saying:

The notification destination service region is not valid for the bucket location constraint

like image 44
John Rotenstein Avatar answered Sep 20 '22 18:09

John Rotenstein


Here is how you do this in clear steps:

I defined (Customer Account) as the account that contains the S3 resource, "Service Account" as the account that contains the Lambda function, that will access the S3 resource.

  1. Create assumed role on Customer Account with full S3 access,
  2. Create trust policy in assumed role pointing at Lambda ARN
  3. Attach IAM policy to Lambda execution role on Service Account - pointing at Customer account / assumed role (Reference: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/)

  4. Create object notification event on target S3 bucket on customer account, to notify Lambda ARN on service account. (Reference: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putBucketNotificationConfiguration-property)

like image 35
Bahadir Balban Avatar answered Sep 21 '22 18:09

Bahadir Balban