Cross account role for an AWS Lambda function

15
votes

I have two AWS account (A and B). On my account A, I have a lambda function which need to access to resources of account B. Precisely, my lambda on my account A, need to update a record in a Route53 zone hosted on my account B.

Contrary to S3, I don't see any resource access policy in Route53. So I'm a bit lost. I tried to play with IAM cross account roles, but that does not seems to work with lambda.

How can I allow a lambda function on an account A to access resources of my account B?

1
amazon-web-servicesamazon-iamaws-lambda

1 Answers

23
votes

You can create a Role in account B and permit your User (in account A) to assume it.

  • Create a Role in account A that will be used by your AWS Lambda function.
  • Create a Role in account B with a role type of Role for Cross-Account Access. Assign the desired permissions to use Route 53 in account B. Also add permissions for the Role in account A to call AssumeRole on this role.
  • The Lambda function in account A can then call AssumeRole on the role in account B. This will return a set of temporary credentials that can be used to access Route 53 in account B.

See:

Here's a picture from the Tutorial:

Cross account access