Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cross account role for an AWS Lambda function

Tags:

amazon-web-services

aws-lambda

amazon-iam

I have two AWS account (A and B). On my account A, I have a lambda function which need to access to resources of account B. Precisely, my lambda on my account A, need to update a record in a Route53 zone hosted on my account B.

Contrary to S3, I don't see any resource access policy in Route53. So I'm a bit lost. I tried to play with IAM cross account roles, but that does not seems to work with lambda.

How can I allow a lambda function on an account A to access resources of my account B?

like image 625
Olivier Avatar asked Jun 30 '16 16:06

Olivier

People also ask

Can Lambda assume Cross-account role?

To have your Lambda function assume an IAM role in another AWS account, do the following: Configure your Lambda function's execution role to allow the function to assume an IAM role in another AWS account. Modify your cross-account IAM role's trust policy to allow your Lambda function to assume the role.

Can AWS Lambda access resources in another account?

Users in the other account must have the corresponding user permissions to use the Lambda API. To limit access to a user or role in another account, specify the full ARN of the identity as the principal. For example, arn:aws:iam::123456789012:user/developer . The alias limits which version the other account can invoke.

1 Answers

You can create a Role in account B and permit your User (in account A) to assume it.

  • Create a Role in account A that will be used by your AWS Lambda function.
  • Create a Role in account B with a role type of Role for Cross-Account Access. Assign the desired permissions to use Route 53 in account B. Also add permissions for the Role in account A to call AssumeRole on this role.
  • The Lambda function in account A can then call AssumeRole on the role in account B. This will return a set of temporary credentials that can be used to access Route 53 in account B.

See:

  • Tutorial: Delegate Access Across AWS Accounts Using IAM Roles
  • Creating a Role to Delegate Permissions to an IAM User

Here's a picture from the Tutorial:

Cross account access

like image 109
John Rotenstein Avatar answered Sep 21 '22 01:09

John Rotenstein
Sign in to Comment

Related questions

Is it possible to revoke AWS Cognito IdToken?
Execute Terraform apply with AWS assume role
How does an Amazon EC2 instance select its kernel?
Force Server Side Encryption for S3 Bucket
How does Amazon SSE-S3 key rotation work?
How to pass parameters to AWS Lambda function
Amazon S3 presigned url - Invalidate manually or one time upload
Unable to copy default RDS Parameter Group
How do you remove/undo/delete a pending modification on Amazon Aurora RDS?
Unable to connect to AWS Documentdb using MongoDB Compass. No option to pass sslInvalidHostName
How to solve Error loading state: AccessDenied: Access Denied status code: 403 when trying to use s3 for terraform backend?
How can I tell the raw size of a MySQL DB snapshots in Amazon RDS?
What to bake into an AWS AMI and what to provision using cloud-init?
How to Load config from ~/.aws/config
How do I query DynamoDB with non primary key field?
Is there any amazon web services (aws) simulation/emulation available?
How to check application runs in AWS EC2 instance
Trying to set metadata on Amazon S3 file using s3cmd
Possible to set reply-to address different than from address in grails mail plugin?
How do I assign a created SecurityGroup to an ELB from CloudFormation?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!