问题
I want to run a lambda in Account B when any object comes into Account A S3 bucket.
But I heard that we can access Lambda from the same account S3 only, for cross-account S3 Lambda access I must run Lambda within same account and make another trigger which runs another account Lambda:
- S3(Account A)--> Lambda(Account B)- not possible
- S3(Account A)--> Lambda(Account A)-->Lambda(Account B)- Possible
Can someone help me which option is possible? If so how?
回答1:
@John's Solution works but there are certain steps I would like to add to his answer.
- The S3 bucket and the Lambda need to be in the same region. For example, both should be created in
us-east-1region. Different regions would throw an error as below:
The notification destination service region is not valid for the bucket location constraint
Below is the Steps I followed to create the trigger:
Account-A.S3-bucket -> Account-B.Lambda-function
- From Terminal, switch to Account-B's AWS profile where the Lambda would reside
Run the below command, change the parameters for your case:
aws lambda add-permission \ --region {Account-B.Lambda region Eg. us-east-1} \ --function-name {Account-B.Lambda name} \ --statement-id 1 \ --principal s3.amazonaws.com \ --action lambda:InvokeFunction \ --source-arn arn:aws:s3:::{Account-A.S3 name} \ --source-account {Account-A.account-id} \ --profile {Account-B.profile-name}
You might get statement-id exists error, increment statement-id and re-run command again in this case.
- Go to
Account-A's S3 bucket and under Properties's tab > under Events - Select Add Notification
Add the following fields:
Name: ObjectCreation Events: ObjectCreate (All) Send to: Lambda function Lambda: Add Lambda function ARN Lambda function ARN: your-lambda-arn
Note: The Lambda function might still show an error but new objects added in the S3 bucket trigger the lambda and print(event) logs appear in Cloudwatch logs.
回答2:
I managed to successfully trigger an AWS Lambda function in Account B from an upload to an Amazon S3 bucket in Account A.
Account-A.S3-bucket -> Account-B.Lambda-function
Here's what I did:
- Created the Amazon S3 bucket in Account A
- Created the Lambda function in Account B
- Added a Resource-Based Policy for AWS Lambda to the Lambda function via the AWS Command-Line Interface (CLI) that allowed the S3 bucket to call
lambda:InvokeFunctionon the Lambda function - Added a Bucket Policy to the S3 bucket to permit
GetObjectaccess from anywhere (this should be locked-down further, but was sufficient for the experiment) - Configured an Event for
ObjectCreate (All)on the S3 bucket, referencing the Lambda function via its ARN - Uploaded a file to the Account-A.S3-bucket
- The Account-B.Lambda-function was successfully triggered
I then repeated the experiment with the bucket in a different region and it failed, saying:
The notification destination service region is not valid for the bucket location constraint
回答3:
In the new S3 console, go to S3 console and open your bucket. Click on the Properties tab -> Events. You need to give S3 permission to invoke the Lambda function. Refer: configure Amazon s3 bucket to run Lambda function created in another account
回答4:
Both options should be possible. So you can go with the first option, which is minimalistic.
Use the Cross Account access feature in IAM to grant access to S3(Account A) from Lambda(Account B).
This is achieved by creating a IAM Role in Account B which is granted to acceses to the bucket in Account A and allowed to assume by the Lambda (In Account B).
For further details refer the following documentation from AWS.
- Using Resource-Based Policies for AWS Lambda [Example 2: Bucket
- Owner Granting Cross-Account Bucket Permissions
回答5:
Here is how you do this in clear steps:
I defined (Customer Account) as the account that contains the S3 resource, "Service Account" as the account that contains the Lambda function, that will access the S3 resource.
- Create assumed role on Customer Account with full S3 access,
- Create trust policy in assumed role pointing at Lambda ARN
Attach IAM policy to Lambda execution role on Service Account - pointing at Customer account / assumed role (Reference: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/)
Create object notification event on target S3 bucket on customer account, to notify Lambda ARN on service account. (Reference: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putBucketNotificationConfiguration-property)
来源:https://stackoverflow.com/questions/45445572/amazon-s3-triggering-another-a-lambda-function-in-another-account