Is it possible to use configure Lambda Function Resource-based Policies using serverless framework?

I have 2 AWS account, account A and account B. I need AWS Config in account A to invoke a Lambda in account B to check compliance, which requires Lambda Function Resource-based Policies described by https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html.

Is it possible to use configure Lambda Function Resource-based Policies in serverless.yml? iamRoleStatements and IAM role are obviously not able to make it, and I did not see any doc about it.

Any advice?

Why can’t you set up cross-account permissions using IAM roles?

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

AFAIK, IAM role is used to grant lambda the access to other AWS resources, the resource-baed policy is opposite, it indicates which AWS resource can invoke lambda.

My goal is to enable an AWS resource invoke lambda from another account, not to allow lambda to access cross-account AWS resources, thus I need to set up resource-based policy for lambda

According to the docs, once you create a role and grant access to the cross account, “you have established trust between the Production and Development accounts by creating a role in the Production account that identifies the Development account as a trusted principal.”

You should then be able to assume the role with your Lambda role.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/UpdateApp"
  }
}

I haven’t tried this with Lambda directly, but it seems like it would work.

You seem to confuse Lambda resource-based policies with Lambda execution role. Assuming role in Lambda role grants Lambda the role privileges so that Lambda can access AWS resources in another account, it’s NOT used for allowing AWS resources invoke Lambda.

I am following https://aws.amazon.com/blogs/devops/how-to-centrally-manage-aws-config-rules-across-multiple-aws-accounts/ to authorize AWS Config in account A to invoke a Lambda in account B. Step 2 and Step 3 in this doc describes the difference between Lambda resource-based policies and Lambda execution role.

I have managed to create Lambda resource-baed polices using AWS CLI, but I have NOT been seen how to do it via the Serverless Framework, thus I would like to know if Serverless Framework can configure Lambda resource-based policies and how?

1 Like

Sorry for the confusion. I thought you wanted a Lambda function in Account A to be able to trigger a Lambda function in Account B. Anything you can do in CloudFormation can be done in the serverless.yml’s Resources section.

Thanks for your advice. I will test it.

Tigerwan, did you manage to solve this?
I have a similar issue in that I need to create a resource-based function policy for a lambda function so that it can be invoked by CloudWatch events that don’t exist at deploy time (dynamically added cron events).

Is anybody has an example for this?