Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Lambda triggered by PUT to s3 bucket in separate account

I am trying to trigger a Lambda function to run on update to a s3 bucket. The s3 bucket that I am attempting to have trigger the Lambda is in a separate AWS account.

The approach I have tried is setting up a role in the account that with the s3 bucket that has all the privileges on the s3 bucket. Then in the account with the Lambda I have a role with assumes the role in the other account like this:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": [
            "arn:aws:iam::..."
        ]
    }
]
}

I am not able to see the s3 bucket in the list of buckets to trigger the Lambda event.

Is using a s3 bucket in a separate account to trigger a Lambda possible? Is this the correct solution?

like image 756
BBS Avatar asked Apr 17 '16 22:04

BBS


1 Answers

UPDATE: It appears that cross-account triggering of a Lambda function from S3 actually is possible. See: Using Resource-Based Policies for AWS Lambda (Lambda Function Policies)


Old answer:

Amazon S3 can trigger an AWS Lambda function when objects are added to, or deleted from, a bucket.

However, this trigger must be setup on the bucket itself. You will need the owner of the bucket (or someone with sufficient permissions) to set the configuration to trigger Lambda.

Also, the Lambda function being called must be in the same Account as the Amazon S3 bucket. You could create a Lambda function in one account that then calls a Lambda function in another account (given sufficient permissions), but it is not possible for a Bucket in Account A to directly trigger a Lambda function in Account B.

like image 140
John Rotenstein Avatar answered Sep 19 '22 07:09

John Rotenstein