How to setup cross account custom authorizer with serverless framework? Custom authorizer configured with sls framework works fine if it is in the same AWS account as function that needs authorization.
What I have now is organization root account where authorizer function has been deployed. On the second account, which is organization member, I have a serverless service deployed with the endpoints that needs to be authorized from the root account.
Is it possible to configure something like this inside serverless.yml that will be deployed on the member account (111111111111 is root account number):
hello:
handler: api/hello.handler
events:
- http:
path: hello
method: get
cors: true
authorizer: arn:aws:lambda:eu-west-1:111111111111:function:authorizer
I have tried this and received following error:
An error occurred: AuthorizerApiGatewayAuthorizer - The policy of Lambda function must explicitly authorize the method or custom authorizer with a SourceArn condition for cross account integration (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException;
... which makes sense according to the AWS docs. These docs explains how to manually do it using API Gateway console which is exactly what I did for now (authorizer in the root, authorizer in the member account - manually connected through API gateway, same as described in the docs).
I need a better solution as the number of services and organization member accounts is going to grow.
Is it possible to configure and make this work with serverless framework?
