Error while doing AWS Lambda Cross Account integration with AWS SNS

1
votes

I want to send notification from SNS (Account A) to Lambda (Account B). Followed this tutorial but still getting below error: https://docs.aws.amazon.com/lambda/latest/dg/with-sns-example.html

Error code: AccessDeniedException - Error message: User: arn:aws:sts::AccountA:assumed-role/AdministratorAccessRole/A12345 is not authorized to perform: lambda:AddPermission on resource: arn:aws:lambda:us-east-1:AccountB:function:TestLambda

Below what I did: 1. In Account A, added below policy in Access Policy of SNS:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "_abc_",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountB:root"
      },
      "Action": [
        "SNS:Subscribe",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:us-east-1:AccountA:TriggerLambdaB-SNS"
    }
  ]
}

2. In Account B, added below policy in Resource-Based Policy of Lambda:

    {
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "_abc_",
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:AccountB:function:TestLambda",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:sns:us-east-1:AccountA:TriggerLambdaB-SNS"
        }
      }
    }
  ]
}

I am able to see the SNS Name under Trigger Lambda section of my Lambda in Account B. But when I am trying to Subscribe the Lambda under SNS, then getting this error. Please guide what am I missing here.

Is it because I am having different types of Role in these accounts like AdminAccessRole in Account A and FederatedRoleAccess in Account B?

1
amazon-web-servicesaws-lambdaamazon-sns
Could you please clarify what you mean by "send notification"? Are you saying that you want the Lambda function from Account-B to subscribe to the SNS topic in Account-A, so that a message sent to the SNS topic will trigger an invocation of the Lambda function?John Rotenstein
The link you provided also says that ListSubscriptionsByTopic should be used in setting out cross-account lambda subscriptions.Marcin
@Marcin Yes I added that as well now. But still getting the same error.AWS_Developer
@JohnRotenstein: Yes.AWS_Developer
What about KMS? Do you encrypt something using it? Cross-account access to kms encrypted resources requires special permissions.Marcin

1 Answers

1
votes

You need to run the aws sns subscribe in Account-B (with the Lambda function), not Account-A (with the SNS function).

Otherwise, your setup seems correct.

When I tried running the subscribe command from Account-A, it said:

An error occurred (AuthorizationError) when calling the Subscribe operation: The account ACCOUNT-A is not the owner of the lambda function arn:aws:lambda:ap-southeast-2:ACCOUNT-B:function:foo

While this error is different to yours, your command appears to have been run from Account-A (with SNS) rather than Account-B (with Lambda).

Side-note: There appears to be a small error in the Tutorial: Using AWS Lambda with Amazon Simple Notification Service documentation, where the Resource-Based policy for Lambda (the second one in your Question) is showing a SourceArn that refers to Account-B-Lambda, whereas it should be Account-A-SNS. However, you appear to have gotten this correct in your policy above.