Here is the problem: I need to use the Lambda function in AWS Account A (In root AWS Account A) to write some data to the DynamoDB tables in AWS Account B (in root AWS Account B). All the project in written with Serverless Framework in Node.js.
I know I need to use Cross-Account Role in the Lambda function to do that. Since Serverless use the template that shares a lot of things similar to the cloudformation template. Then I did some research on how to use the cross account role, here is the AWS Documentation https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "Example Corp's AWS Account ID"},
"Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
}
}
this is the sample iam specification for the task like this. The yaml template in the serverless looks like this in my project:
- Effect: Allow
Principal:
AWS: 'AWS Account B External ID'
Action:
- sts:AssumeRole
Resource:
- '*'
But When I tried to deploy the serverless template: I got the error like this:
An error occurred: IamRoleLambdaExecution - Policy document should not specify a principal. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: XXXX-XXXX-XXXX-XXXX-XXXX).
I am wondering what is the correct way to specify the template according to the demand. Appreciate to the help of any kinds
