17

I have two AWS account (A and B). On my account A, I have a lambda function which need to access to resources of account B. Precisely, my lambda on my account A, need to update a record in a Route53 zone hosted on my account B.

Contrary to S3, I don't see any resource access policy in Route53. So I'm a bit lost. I tried to play with IAM cross account roles, but that does not seems to work with lambda.

How can I allow a lambda function on an account A to access resources of my account B?

Olivier
  • 834
  • 2
  • 7
  • 12

1 Answers1

25

You can create a Role in account B and permit your User (in account A) to assume it.

  • Create a Role in account A that will be used by your AWS Lambda function.
  • Create a Role in account B with a role type of Role for Cross-Account Access. Assign the desired permissions to use Route 53 in account B. Also add permissions for the Role in account A to call AssumeRole on this role.
  • The Lambda function in account A can then call AssumeRole on the role in account B. This will return a set of temporary credentials that can be used to access Route 53 in account B.

See:

Here's a picture from the Tutorial:

Cross account access

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Ok, I did that and your solution worked. I first read that and thought that applies to human users only (the switch button to change role), but actually you can "assumeRole" programatically with lambda. However, if you need to access to a resource from a managed service (I don't have any example, maybe an Alarm on account A sending an SNS on account B), you don't have the possibility to write some code for "AssumeRole"), but for Lambda and Ec2, it's ok. Thanks. – Olivier Jul 04 '16 at 07:59
  • I think you also need to add permission for Role B in account B so it allows account A to assume Role B. Account A Role would need just permission for Account A Lambda to assume Role A. – alexfvolk Oct 17 '17 at 18:20
  • 1
    Can the same Lambda additionally access resources in another account C at the same time? – yerzhan7 Jan 10 '19 at 11:16