Is cross account Kinesis Firehose possible?

Question

Account A is the application account where I created Kinesis stream and I want to create Firehose in Account B to read from Account A Kinesis stream. Is this possible? I tried to follow the steps from (https://medium.com/upday-devs/configure-kcl-to-read-from-a-different-aws-account-16000b26e7ff) and created an external access role (say 'arn:aws:iam::111111111:role/External-Kinesis-Access') in Account A and just specify the ARN

  KinesisStreamSourceConfiguration:
    KinesisStreamARN:
      Ref: KinesisSourceStreamARN
    RoleARN: 'arn:aws:iam::111111111:role/External-Kinesis-Access'

But this results in an error: IAM role and Kinesis stream should belong to the same account.

I tried to using sts:AssumeRole, but this results in a different error: 'Cross-account pass role is not allowed.'

So it seems cross account streaming through Firehose is not supported. I also found this: https://forums.aws.amazon.com/thread.jspa?threadID=249458 which leads me to believe that it is not supported.

If that is the case, what is the workaround? Create a Lambda function in Account A to write to Firehose in Account B?

Answer 1

it's possible to have a lambda function as you suggested. There is also a tutorial here: https://medium.com/faun/quicksolutions-cross-account-use-lambda-to-write-to-firehose-in-another-aws-account-38bc4270a348

Which will result in additional cost for the lambda execution. If you just want to persist data to S3 you could also just configure Firehose to write into an S3 bucket in another account: https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#cross-account-delivery-s3 and https://blog.fajri.my.id/post/aws-kinesis-firehose-cross-account-bucket/