Cross-account lambda trigger by kinesis

Question

I'm trying to trigger a lambda in account 'B' by a Kinesis stream in account 'A'. This is similar to what's described here, except the example uses S3 instead of Kinesis.

To do this, I'm trying to set up the right permissions, but running into difficulties.

First I add this permission:

  aws lambda add-permission \
--function-name "$function_name" \
--statement-id 'Id-123' \
--action "lambda:InvokeFunction" \
--principal $source_account \
--source-arn "$stream_arn" \
--source-account $source_account \
--region us-east-1 \
--profile "$profile"

Where $source_account is the account ID for 'A'.

Then I attempt to create the source mapping:

 aws lambda create-event-source-mapping \
    --event-source-arn "$stream_arn" \
    --function-name "$function_name" \
    --starting-position TRIM_HORIZON \
    --region us-east-1 \
    --profile "$profile"

And I get the following error:

A client error (InvalidParameterValueException) occurred when calling the CreateEventSourceMapping operation: Role and event source must be in the same account as the cloud function

I don't understand this error. Is it saying what I'm trying to do is impossible? But then how was it accomplished here with S3, which is essentially the same mechanism?

Answer 1

AWS Lambda function to an Amazon Kinesis stream only works when both in the same account.

If you want to call functions in account B, you can hook the fan out function deployed in account A to your stream in account A, and ask it to call with a cross-account role a function in account B. create a target of type Lambda and specify a role in account B.

• https://github.com/aws-samples/aws-lambda-fanout
• How to fanout an AWS kinesis stream?

Answer 2

Creating cross-account event source mappings between AWS Kinesis and Lambda is not supported. Kinesis event source mappings use polling as opposed to the push model of S3.