I have 2 AWS CDK applications running in separate AWS accounts, and I'm trying to add CDK to get a lambda in one AWS account to subscribe to notifications in the other AWS account.
I tried adding the subscription in the lambda account, but this didn't work, since the SNS account doesn't grant permissions.
CDK in the SNS account:
val myTopic = Topic(this, "my-topic-id", TopicProps.builder()
.displayName("topicName")
.topicName("topicName")
.build())
CDK in the Lambda account:
val myLambda = Function(...)
val crossAccountTopic = Topic.fromTopicArn(this, "topic-id", "arn:aws:sns:<region>:<accountId>:topicName")
crossAccountTopic.addSubscription(LambdaSubscription(myLambda))
Has anyone tried something like this? Is there a way to grant access purely with changes to CDK in both accounts? Or is a manual action required? There may be a way to do this by granting access through IAM roles, so I will investigate this further.
We released a new feature today for Amazon SNS that enables developers to perform custom message handling or publish messages to other AWS services by subscribing AWS Lambda functions to SNS topics.
Run the following command to subscribe your Lambda function to the Amazon SNS topic: Note: Replace arn:aws:sns:us-east-1:123456789012:lambda-same-account with your topic's ARN. Replace arn:aws:lambda:us-east-1:123456789012:function:sns-same-account with your function's ARN.
When you create the subscription in the SQS account, you don't need to explicitly confirm the subscription. If you create the SNS subscription in the SNS account, then a confirm subscription message is sent to the SQS queue first, which you would need to handle to confirm the subscription.
Yes, you can grant access in both accounts through CDK. First, you must grant access in the providing account, and deploy the CDK/cloudformation stack. Then you can grant access in the client account.
CDK in the SNS account:
val myTopic = Topic(this, "my-topic-id", TopicProps.builder()
.displayName("topicName")
.topicName("topicName")
.build())
PolicyStatement snsAccessPolicy = PolicyStatement.Builder.create()
.principals(listOf(AccountPrincipal("123456346")))
.actions(Arrays.asList("SNS:Subscribe"))
.resources(Arrays.asList(myTopic.getTopicArn()))
.build();
myTopic.addToResourcePolicy(snsAccessPolicy);
CDK in the Lambda account:
val myLambda = Function(...)
val crossAccountTopic = Topic.fromTopicArn(this, "topic-id", "arn:aws:sns:<region>:<accountId>:topicName")
crossAccountTopic.addSubscription(LambdaSubscription(myLambda))
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With