AWS Lambda triggered by PUT to s3 bucket in separate account

Question

I am trying to trigger a Lambda function to run on update to a s3 bucket. The s3 bucket that I am attempting to have trigger the Lambda is in a separate AWS account.

The approach I have tried is setting up a role in the account that with the s3 bucket that has all the privileges on the s3 bucket. Then in the account with the Lambda I have a role with assumes the role in the other account like this:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": [
            "arn:aws:iam::..."
        ]
    }
]
}

I am not able to see the s3 bucket in the list of buckets to trigger the Lambda event.

Is using a s3 bucket in a separate account to trigger a Lambda possible? Is this the correct solution?

John Rotenstein John Rotenstein · Accepted Answer · 2016-04-18T07:36:51

UPDATE: It appears that cross-account triggering of a Lambda function from S3 actually is possible. See: Using Resource-Based Policies for AWS Lambda (Lambda Function Policies)

Old answer:

Amazon S3 can trigger an AWS Lambda function when objects are added to, or deleted from, a bucket.

However, this trigger must be setup on the bucket itself. You will need the owner of the bucket (or someone with sufficient permissions) to set the configuration to trigger Lambda.

Also, the Lambda function being called must be in the same Account as the Amazon S3 bucket. You could create a Lambda function in one account that then calls a Lambda function in another account (given sufficient permissions), but it is not possible for a Bucket in Account A to directly trigger a Lambda function in Account B.

AWS Lambda triggered by PUT to s3 bucket in separate account

2 Answers