I have 2 AWS account, account A and account B. I need AWS Config in account A to invoke a Lambda in account B to check compliance, which requires Lambda Function Resource-based Policies described by https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html.
Is it possible to use configure Lambda Function Resource-based Policies in serverless.yml? iamRoleStatements and IAM role are obviously not able to make it, and I did not see any doc about it.
Any advice?
Why can’t you set up cross-account permissions using IAM roles?
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
AFAIK, IAM role is used to grant lambda the access to other AWS resources, the resource-baed policy is opposite, it indicates which AWS resource can invoke lambda.
My goal is to enable an AWS resource invoke lambda from another account, not to allow lambda to access cross-account AWS resources, thus I need to set up resource-based policy for lambda
According to the docs, once you create a role and grant access to the cross account, “you have established trust between the Production and Development accounts by creating a role in the Production account that identifies the Development account as a trusted principal.”
You should then be able to assume the role with your Lambda role.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/UpdateApp"
}
}
I haven’t tried this with Lambda directly, but it seems like it would work.
You seem to confuse Lambda resource-based policies with Lambda execution role. Assuming role in Lambda role grants Lambda the role privileges so that Lambda can access AWS resources in another account, it’s NOT used for allowing AWS resources invoke Lambda.
I am following https://aws.amazon.com/blogs/devops/how-to-centrally-manage-aws-config-rules-across-multiple-aws-accounts/ to authorize AWS Config in account A to invoke a Lambda in account B. Step 2 and Step 3 in this doc describes the difference between Lambda resource-based policies and Lambda execution role.
I have managed to create Lambda resource-baed polices using AWS CLI, but I have NOT been seen how to do it via the Serverless Framework, thus I would like to know if Serverless Framework can configure Lambda resource-based policies and how?
Sorry for the confusion. I thought you wanted a Lambda function in Account A to be able to trigger a Lambda function in Account B. Anything you can do in CloudFormation can be done in the serverless.yml’s Resources section.
Thanks for your advice. I will test it.
Tigerwan, did you manage to solve this?
I have a similar issue in that I need to create a resource-based function policy for a lambda function so that it can be invoked by CloudWatch events that don’t exist at deploy time (dynamically added cron events).
Is anybody has an example for this?
In your template ‘Resources’ section:
SNSInvokePermission:
Type: 'AWS::Lambda::Permission'
Properties:
FunctionName: { "Fn::GetAtt": ["YourLambdaFunction", "Arn" ] }
Action: lambda:InvokeFunction
Principal: sns.amazonaws.com
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html
Thanks for the answer, it works great. But I have one question. Suppose I want to give the same resource-based policy to multiple lambda functions in my serverless.yml. What is the correct way of doing this? Do I have to create a new lambda permission resource for every function?