I have a DynamoDB table created in account A and a role created in the same account to perform some actions on it.
This role will be assumed by a lambda function deployed in account B. Right now I am only deploying the stack with the code above in account A. The stack for account B with the cdk for the lambda function will be deployed later. This is the relevant role code for the stack deployed in account A as below:
self._ddb_table = ddb.Table(
self,
id,
.
.
.
)
ddb_lambda_role = iam.Role(self, "ddb_lambda_role",
assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
role_name="ddb_lambda_role"
)
ddb_policy_stmt = iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
'dynamodb:Query',
'dynamodb:GetItem',
'dynamodb:GetRecords',
'dynamodb:PutItem',
'dynamodb:UpdateItem',
'dynamodb:BatchGetItem',
],
resources=[self._ddb_table.table_arn]
)
ddb_lambda_role.add_to_policy(ddb_policy_stmt)
This gives an error saying: The following resource(s) failed to create: [ddblambdarole...].
There is no more information provided in the cli as well as the web console. Is there anything wrong you seeing with the role created above? How do I create a cross account role in the current account A that can be assumed by a lambda function in another account, if not the way done above?
CodePudding user response:
Check your CloudTrail logs for events from iam.amazonaws.com
there you will find the true reason for failure.
CodePudding user response:
You should double check your role ability.
The role in account A which is assumed by lambda in account B must have the right trusted entity, in this case is the execution role of Lambda
The execution role of Lambda in account B must have the AssumeRole policy
I think all of you need here https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/