You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have a case where we have two AWS accounts, and need an event created on a bucket in the first account which triggers a lambda function in second account.
Currently in the project's 'settings.yml' we define the s3 notifications, including the name, lambda function, key_filters and events, but there's no way to specify a source account.
During the build phase, the AWS::Lambda::Permissions resources that are generated for these events look similar to the following:
This means that the lambda function only grants permissions for events in the current account to invoke it.
We have already set up the necessary trust permissions between our accounts, so by simply editing the generated template's AWS::Lambda::Permission objects to specify the "SourceAccount" value as the proper source account id (rather than the current account) - after the 'build' step but before the 'apply' step - we get the events created on the source bucket successfully.
Is there a way for us to specify the source account in the settings.yml file so that the permissions can allow other accounts to trigger the lambda function?
The text was updated successfully, but these errors were encountered:
We have a case where we have two AWS accounts, and need an event created on a bucket in the first account which triggers a lambda function in second account.
Currently in the project's 'settings.yml' we define the s3 notifications, including the name, lambda function, key_filters and events, but there's no way to specify a source account.
During the build phase, the AWS::Lambda::Permissions resources that are generated for these events look similar to the following:
"S3TriggersApplicationArtefactsPermission": {
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Ref": "<lambda_current_alias>"
},
"Principal": "s3.amazonaws.com",
"SourceAccount": {
"Ref": "AWS::AccountId"
},
"SourceArn": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
"<bucket_name>"
]
]
}
},
"Type": "AWS::Lambda::Permission"
}
This means that the lambda function only grants permissions for events in the current account to invoke it.
We have already set up the necessary trust permissions between our accounts, so by simply editing the generated template's AWS::Lambda::Permission objects to specify the "SourceAccount" value as the proper source account id (rather than the current account) - after the 'build' step but before the 'apply' step - we get the events created on the source bucket successfully.
Is there a way for us to specify the source account in the settings.yml file so that the permissions can allow other accounts to trigger the lambda function?
The text was updated successfully, but these errors were encountered: