Home > Software design >  Trigger lambda with cross account s3 put object
Trigger lambda with cross account s3 put object

Time:06-18

I am trying to invoke lambda from cross account s3 bucket put action. i can do it manually from console but want to do using serverless frame work. If any one has any answer or related stuff please suggest me.

CodePudding user response:

as i understand correctly you want to add this in yaml template for CloudFormation and set all this invocation settings.

Check this - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  lambda-s3-trigger

  Sample SAM Template for lambda-s3-trigger

Globals:
  Function:
    Timeout: 3

Parameters:
  Environment:
    Type: String
    Description: Environment name. Example, staging, dev, prod, etc.

Resources:
  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: hello-world/
      Handler: app.lambdaHandler
      Runtime: nodejs12.x
      Role:
        Fn::GetAtt:
          - "MyRole"
          - "Arn"
    Tags:
      Name: !Sub "${Environment}-my-function"


  MyRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: AccessToS3Notifications
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 's3:GetBucketNotification'
                  - 's3:PutBucketNotification'
                  - "s3:GetObject"
                Resource: !Sub 'arn:aws:s3:::${AWS::AccountId}-${Environment}-my-bucket'

  MyBucket:
    Type: AWS::S3::Bucket
    DependsOn:
      - MyFunction
    Properties:
      # the bucket name has the account as a prefix since it has to be unique globally at AWS level
      BucketName: !Sub "${AWS::AccountId}-${Environment}-my-bucket"
      NotificationConfiguration:
        LambdaConfigurations:
          - Event: 's3:ObjectCreated:*'
            Function: !GetAtt MyFunction.Arn

  PermissionForEventsToInvokeLambda:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt MyFunction.Arn
      Action: "lambda:InvokeFunction"
      Principal: "s3.amazonaws.com"
      SourceAccount: !Ref 'AWS::AccountId'

CodePudding user response:

In this blog, we'll show you how to set up a Lambda function to trigger on an S3 PUT object event from a different AWS account. This can be useful if you have multiple AWS accounts and want to move data between them, or if you want to trigger a Lambda function from an S3 event in another AWS account.

First, you'll need to create an IAM role in the account where the S3 bucket resides. This IAM role will be used by Lambda to assume a cross-account role in order to trigger the Lambda function.

Next, you'll need to create a Lambda function in the account where you want to trigger the event. This Lambda function will assume the IAM role created in the previous step.

Finally, you'll need to add a bucket policy to the S3 bucket in the account where the S3 bucket resides. This bucket policy will allow the Lambda function in the other account to trigger on PUT events.

Assuming you have two AWS accounts, account A and account B, here's how you would set this up:

  1. In account A, create an IAM role. This IAM role will be used by Lambda in account B to assume a cross-account role.

  2. In account B, create a Lambda function. This Lambda function will assume the IAM role created in step 1.

  3. In account A, add a bucket policy to the S3 bucket. This bucket policy will allow the Lambda function in account B to trigger on PUT events.

Assuming you have two AWS accounts, account A and account B, here's how you would set this up:

  1. In account A, create an IAM role. This IAM role will be used by Lambda in account B to assume a cross-account role.

  2. In account B, create a Lambda function. This Lambda function will assume the IAM role created in step 1.

  3. In account A, add a bucket policy to the S3 bucket. This bucket policy will allow the Lambda function in account B to trigger on PUT events.

Here's the IAM role you'll need to create in account A:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

And here's the Lambda function you'll need to create in account B:

import boto3

def lambda_handler(event, context): # TODO implement print(event)

return 'Hello from Lambda'

Finally, here's the bucket policy you'll need to add to the S3 bucket in account A:

{ "Version":"2012-10-17", "Statement":[ { "Sid":"", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::account-b-id:root" }, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::bucket-name/*" } ] }

Replace account-b-id with the ID of account B, and bucket-name with the name of the S3 bucket in account A.

Now, when you PUT an object into the S3 bucket in account A, the Lambda function in account B will trigger and print the event to the logs.

  • Related