Accessing Resources in a different account using cross-account role

I am trying to access a Resource (Route53) in Account B from a Lambda in Account A? I have followed some Amazon docs and setup the Cross-Account-Access Role for just Route53 in Account B but I get an error when trying to add that role to a single function in the nodejs Lambda in Account A. I get the dreaded cross-account pass role no allowed. I have seen posts where it says I am on the right track but I am having trouble understanding what I am missing. Do I add some additional “AssumeRole” permissions to the provider.iamRoleStatements? I already have some statements there to access local resources (i.e. dynamodb). Any example would be very helpful as I have just started using serverless and am not adept at all the complexities yet.

Bueher? Buehler? Anyone?

Has no one ever needed to deploy Lambda in one account and access a resource in a different account from it?

Personally I have never got cross-account Roles working with Lambda. Ended up using API access keys to the other account to solve the issue, not the best solution but worked ok for a short lived setup.

Would be great to find out if you get cross account roles working :slight_smile:

I sure did! Thanks to this article. You should be able to read through it and look at his examples to understand how he uses the sts.assumerole from within his js function…

1 Like