0
votes

I have the follow scenario:

  1. An AWS account A1 with a S3 Bucket B1
  2. Another AWS account A2 with another S3 Bucket B2.

What I want is:

  1. User upload a file in S3 B1
  2. A lambda function automatically move the file from S3 B1 to S3 B2
1

1 Answers

0
votes

I have to do a similar thing and I am still researching but here's what I found out:

Source S3 Bucket (B1) and Lambda function invoked must be in the same AWS Region, although they can be in different AWS accounts.

Permissions must be explicitly granted cross-account for Lambda to be able to read from B1 and write to B2, as well as receive notifications from B1 (only if B1 is in a different AWS account than Lambda is, otherwise the permission is implicit).

Regarding permissions, you can find more on this link: http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html

Steps should be:

  1. grant "lambda invokeFunction permission" to S3 bucket B1
  2. grant S3 bucket B1 read permission to lambda execution role in A2 plus write permission to S3 bucket B2

I could achieve step#1 with the following AWS CLI command:

aws lambda add-permission \
--region __REGION__ \
--function-name lambda_name \
--statement-id 1 \
--principal s3.amazonaws.com \
--action lambda:InvokeFunction \
--source-arn arn:aws:s3:::__S3_B1_name__ \
--source-account __ID_of_account_A1__