Is it possible to call lambda from another cross account lambda

Question

Am using serverless framework am trying to access a cross account lambda from my lambda function am getting the following error

User: arn:aws:sts::984589850232:assumed-role/device-service-sandbox-authenticateDevice-us-east-1-lambdaRole/device-service-sandbox-authenticateDevice is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:938718425371:function:cm-mgmt-service-sandbox-authenticateDevice because no resource-based policy allows the lambda:InvokeFunction action",

I want to access without using sts assume role

This is the permission i have added in the lambda which am trying to access

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "addCrossAccountPermission",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:938718425371:function:cm-mgmt-service-sandbox-authenticateDevice",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "984589850232"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:lambda:us-east-1:984589850232:function:device-service-sandbox-authenticateDevice"
        }
      }
    }
  ]
}

This is my code the invoking lambda written in serverless framework

let params = {
    FunctionName:
      "arn:aws:lambda:us-east-1:938718425371:function:cm-mgmt-service-sandbox-authenticateDevice",
    Payload: JSON.stringify({
      deviceid : "PNR04ESC1000002082"
    }),
  };

  const result = await awsWrapper.invokeLambda(params);


async function invokeLambda(params) {
  const lambda = new AWS.Lambda({
    region: process.env.region,
  });
  return lambda.invoke(params).promise();
}

Answer 1

For Lambda function 1 in account A to invoke Lambda function 2 in account B:

• Lambda function 1's IAM role must allow lambda:invokeFunction on the ARN of Lambda function 2
• Lambda function 2 must have a resource policy that allows account A to invoke it

In case it's not clear why the latter resource policy is required, IAM principals in account A cannot unilaterally give themselves permission to invoke Lambda functions (or, in general, to access AWS resources) in account B. Hopefully it's obvious why that is. Account B must explicitly allow account A.

Example of Lambda function 1's IAM policy, allowing cross-account invocation of function 2 in account B from function 1 in account A:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "sid1",
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:us-east-1:BBBBBBBBBBBB:function:lambda-function-2"
        }
    ]
}

Example of Lambda function 2's resource-based policy, allowing cross-account invocation of function 2 in account B from account A:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "sid1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AAAAAAAAAAAA:root"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:BBBBBBBBBBBB:function:lambda-function-2"
    }
  ]
}

Note that the use of principal arn:aws:iam::AAAAAAAAAAAA:root in function 2's resource-based policy allows any IAM principal within account A to invoke Lambda function 2, as long as that IAM principal itself has invokeFunction permission on the function 2 ARN. If you want to restrict this permission so that only Lambda function 1 can invoke Lambda function 2 then you can change arn:aws:iam::AAAAAAAAAAAA:root to the ARN of Lambda function 1.