I have a lambda function that writes to a kinesis stream. But now, I want to write to a kinesis stream which belongs to a different AWS account. Assuming I have all the necessary cross account permissions, how can I send data to this stream? How should I change the parameters when I call the kinesis constructor or the putRecord function?
2 Answers
3
votes
There is the method above which would technically work, however hardcoding creds or even configuring creds into a lambda seems a bit extraneous to me since lambdas themselves require that you have a role. What you need to do is create a cross account trust and assume role using sts.
Create a role in the account with the kinesis stream, and set it to trust your lambda role.
Give that role a policy that allows it to put to the kinesis stream.
In your lambda code use sts to create a session in the account with the kinesis stream and put your record.
Note your lambda will need a policy that allows it to sts into the second account's role.
It is described a bit more clearly here Providing Access to Accounts you Own
0
votes
First you need to configure the Kinesis instance:
(I chose Javascript for the example)
var kinesis = new AWS.Kinesis({
accessKeyId: 'XXX',
secretAccessKey: 'YYY',
region: 'eu-west-1',
apiVersion: '2013-12-02'
});
For more informations take a look Constructing a Kinesis object
To write/put a record use the following
var params = {
Data: new Buffer('...') || 'STRING_VALUE', /* required */
PartitionKey: 'STRING_VALUE', /* required */
StreamName: 'STRING_VALUE', /* required */
ExplicitHashKey: 'STRING_VALUE',
SequenceNumberForOrdering: 'STRING_VALUE'
};
kinesis.putRecord(params, function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
For more informations take a look Calling the putRecord operation
