Menu
I have two AWS account (A and B). On my account A, I have a lambda function which need to access to resources of account B. Precisely, my lambda on my account A, need to update a record in a Route53 zone hosted on my account B.
Contrary to S3, I don't see any resource access policy in Route53. So I'm a bit lost. I tried to play with IAM cross account roles, but that does not seems to work with lambda.
How can I allow a lambda function on an account A to access resources of my account B?
625
To have your Lambda function assume an IAM role in another AWS account, do the following: Configure your Lambda function's execution role to allow the function to assume an IAM role in another AWS account. Modify your cross-account IAM role's trust policy to allow your Lambda function to assume the role.
Users in the other account must have the corresponding user permissions to use the Lambda API. To limit access to a user or role in another account, specify the full ARN of the identity as the principal. For example, arn:aws:iam::123456789012:user/developer . The alias limits which version the other account can invoke.
You can create a Role in account B and permit your User (in account A) to assume it.
AssumeRole on this role.AssumeRole on the role in account B. This will return a set of temporary credentials that can be used to access Route 53 in account B.See:
Here's a picture from the Tutorial:
109
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
