How to create a lambda function which triggered by kinesis in another account?

Question

I am trying to create a stack in B account with a cloudformation like this.

{
 "AWSTemplateFormatVersion": "2010-09-09",
 "Resources": {
"lambda": {
  "Type": "AWS::Lambda::Function",
  "Properties": {
    "Code": {
      "S3Bucket": "lambda-test-zwshao",
      "S3Key": "lambda_spike.zip"
    },
    "Description": "lambda spike function..",
    "Handler": "index.handler",
    "MemorySize": 128,
    "Role": "arn:aws:iam::A account:role/kinesis-read",
    "Runtime": "nodejs4.3",
    "Timeout": 20
  }
},
"eventSourceMapping": {
  "Type" : "AWS::Lambda::EventSourceMapping",
  "Properties": {
    "BatchSize" : 100,
    "Enabled" : true,
    "EventSourceArn" : "arn:aws:kinesis:ap-southeast-2:A account:stream/lambda-test",
    "FunctionName" : {"Ref": "lambda"},
    "StartingPosition" : "TRIM_HORIZON"
  }
  }
 }
}

The A account is the account number.

The error is Cross-account pass role is not allowed.

Does this answer your question? [Cross-account lambda trigger by kinesis](https://stackoverflow.com/questions/42448960/cross-account-lambda-trigger-by-kinesis) — Antti Haapala -- Слава Україні, Jun 09 '20 at 06:54

score 3 · Answer 1 · answered Oct 19 '16 at 06:59

3

I asked the AWS TECH SUPPORT CENTER. It does not support this currently.

answered Oct 19 '16 at 06:59

Angle Tom

1,060
1
11
29

score 1 · Answer 2 · answered Jul 06 '16 at 16:46

I hope this helps

Cross-account access: Granting access to resources in one account to a trusted principal in a different account is often referred to as cross-account access. Roles are the primary way to grant cross-account access. However, with some of the web services offered by AWS you can attach a policy directly to a resource (instead of using a role as a proxy). These are called resource-based policies, and you can use them to grant principals in another AWS account access to the resource. The following services support resource-based policies for the specified resources: Amazon Simple Storage Service (S3) buckets, Amazon Glacier vaults, Amazon Simple Notification Service (SNS) topics, and Amazon Simple Queue Service (SQS) queues. For more information, see How IAM Roles Differ from Resource-based Policies http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html

This post provides an example of how to enable corss-account access, https://blogs.aws.amazon.com/security/post/Tx70F69I9G8TYG/How-to-enable-cross-account-access-to-the-AWS-Management-Console

However, here's a hacky approach for similar issue https://gist.github.com/djm/1af7dec88fb24bd73188

I know we can assume role to access the resource cross account. But it is not helpful to me. — Angle Tom, Jul 08 '16 at 01:26

How to create a lambda function which triggered by kinesis in another account?

2 Answers2