Skip to content

Instantly share code, notes, and snippets.

@pujansrt

pujansrt/README.md

Last active September 16, 2021 12:24
Show Gist options
  • Save pujansrt/e287e57054cbb1fbc01aa270a1fce75d to your computer and use it in GitHub Desktop.
Save pujansrt/e287e57054cbb1fbc01aa270a1fce75d to your computer and use it in GitHub Desktop.
Download ZIP
Cross Account Lambda to Lambda Call
Raw
README.md

Cross Account Lambda to Lambda Call

Source Lambda

in source serverless.yaml file add. This account no is 111100001111

resources:
  Resources:
    LambdaResourcePolicy:
      Type: AWS::Lambda::Permission
      Properties:
        Action: lambda:InvokeFunction
        FunctionName: get-user # name of source lambda
        Principal: arn:aws:iam::222200002222:role/product-service-workers # Role of calling lambda

Above code block will add resource based policy to the Lambda. You can see it AWS Console > Lambda > Configuration > Permission > Resource-based policy

Role

This lambda can have associated AWSLambdaBasicExecution (pre-defined) role or the following custom role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:us-east-1:111100001111:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:111100001111:log-group:/aws/lambda/get-user:*"
            ]
        }
    ]
}

and trust relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Calling Lambda

This is smartdoor account (222200002222)

const Lambda = require("aws-sdk/clients/lambda");

exports.handler = async (event) => {
    const lambda = new Lambda();
    
    const params = {
            FunctionName: 'arn:aws:lambda:us-east-1:111100001111:function:get-user',
            Payload: JSON.stringify({ tagId: 'test' }),
        };
    const { Payload } = await lambda.invoke(params).promise();
    return Payload;
};

Role

arn:aws:iam::222200002222}:role/product-service-workers

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:us-east-1:222200002222:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:222200002222:log-group:/aws/lambda/thiscallingLambdaName:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "*"
        }
    ]
}

and trust relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment