1

I have an AWS account in which i have SNS topics. I have a different AWS account in which i have created a basic lambda function using this

Now i want to trigger this lambda function using the SNS which i have in different account.

What are the permissions i need to provide to my lambda function/execution Role? What is the best practice to achieve that?

Any lead is highly appreciated.

1 Answers1

3

Here you go, below link has all you need

https://docs.aws.amazon.com/lambda/latest/dg/with-sns-create-x-account-permissions.html

Steps mentioned in above link:

1) From account A, create the Amazon SNS topic:

aws sns create-topic --name lambda-x-account

Note the topic arn that is returned by the command. You will need it when you add permissions to the Lambda function to subscribe to the topic.

2) From account B, create the Lambda function. For the runtime parameter, select either nodejs6.10, nodejs4.3, python3.6, python2.7 or java8, depending on the code sample you selected when you created your deployment package.

aws lambda create-function \
    --function-name SNS-X-Account \
    --runtime runtime language \
    --role role arn \
    --handler handler-name \
    --description "SNS X Account Test Function" \
    --timeout 60 \
    --memory-size 128 \
    --zip-file fileb://path/LambdaWithSNS.zip

Note the function arn that is returned by the command. You will need it when you add permissions to allow Amazon SNS to invoke your function.

3) From account A add permission to account B to subscribe to the topic:

aws sns add-permission \
    --region us-east-1 \
    --topic-arn Amazon SNS topic arn \
    --label lambda-access \
    --aws-account-id B \
    --action-name Subscribe ListSubscriptionsByTopic Receive

4) From account B add the Lambda permission to allow invocation from Amazon SNS:

aws lambda add-permission \
    --function-name SNS-X-Account \
    --statement-id sns-x-account \
    --action "lambda:InvokeFunction" \
    --principal sns.amazonaws.com \
    --source-arn Amazon SNS topic arn

In response, Lambda returns the following JSON code. The Statement value is a JSON string version of the statement added to the Lambda function policy:

{
    "Statement": "{\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:lambda:us-east-1:B:function:SNS-X-Account\"}},\"Action\":[\"lambda:InvokeFunction\"],\"Resource\":\"arn:aws:lambda:us-east-1:A:function:SNS-X-Account\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Sid\":\"sns-x-account1\"}"
}

Note

Do not use the --source-account parameter to add a source account to the Lambda policy when adding the policy. Source account is not supported for Amazon SNS event sources and will result in access being denied. This has no security impact as the source account is included in the source ARN.

5) From account B subscribe the Lambda function to the topic:

aws sns subscribe \
    --topic-arn Amazon SNS topic arn \
    --protocol lambda \
    --notification-endpoint arn:aws:lambda:us-east-1:B:function:SNS-X-Account

You should see JSON output similar to the following:

{
    "SubscriptionArn": "arn:aws:sns:us-east-1:A:lambda-x-account:5d906xxxx-7c8x-45dx-a9dx-0484e31c98xx"
}

6) From account A you can now test the subscription. Type "Hello World" into a text file and save it as message.txt. Then run the following command:

aws sns publish \
    --topic-arn arn:aws:sns:us-east-1:A:lambda-x-account \
    --message file://message.txt \
    --subject Test

This will return a message id with a unique identifier, indicating the message has been accepted by the Amazon SNS service. Amazon SNS will then attempt to deliver it to the topic's subscribers.

Note

Alternatively, you could supply a JSON string directly to the message parameter, but using a text file allows for line breaks in the message.

raevilman
  • 3,169
  • 2
  • 17
  • 29
  • 1
    @MrT Oh yes makes sense. Done. – raevilman Mar 30 '18 at 09:29
  • Hey, Thanks for the prompt reply. I think i didn't understand is where do i need to run these commands? Can we login in AWS account using EC2 instance? –  Mar 30 '18 at 13:18
  • These are AWS CLI (Command Line Interface) commands. You can install this tool on your computer. Works in command-prompt/terminal – raevilman Mar 30 '18 at 13:22
  • for example in 3rd command how will it knows that we are running this command for Account A. –  Mar 30 '18 at 14:05
  • 1
    It will go to Acc A bec of the profile/credentials you are using to execute this command. Also fyi, you need to configure two separate profiles for AWS CLI for two different accounts and you should mention, using profile name, for which account you are executing this command. For more info on profiles read this https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html – raevilman Mar 30 '18 at 14:21
  • Thanks again. It worked for me. 1 more question: I have created lambda function using bones so i skipped first and second step. I have successfully executed 3rd step. In 4th step what is the function name and statement id i should provide? –  Apr 02 '18 at 14:35
  • I dont know what bones is! But In the 4th step, function-name is the name of your lambda function, Go to lambda console and check the name there if you dont know. statement-id is just a unique identifier for the permission you are adding, just give any value, it wont matter to the functionality, but it should unique among other permissions. for more info on these two and other params pls visit https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html Thanks! Hope it helps – raevilman Apr 03 '18 at 05:58