When we are working on a decoupled system that is managed in a Multi-Account environment sometimes we have to call the resources of another account to achieve the goal.
Let's try to understand by a metaphor
Assume a System (Content Manager) hosted in Account A whose job is to create the movies and publish them to the S3 bucket via calling a LAMBA function. Once the movie is published a catalog will be ready on an S3 bucket.
There is another System (Web App) hosted in Account B which will read the file by scheduling a Lambda and run periodically (EventBridge Rule) to display the movies on their Web Application.
Problem:
Both the systems are decoupled (Hosted on different AWS Accounts) and don't have any real-time connection to let each other know about the operations they are performing.
Example: CMS publishing will generate the files that the Web App doesn't know.
The user can publish the movie which has to start at Midnight and be available on the Web Application for purchase but the EventBridge Rule will be run at 12:30 AM considering the publishing can be completed in 30 minutes.
- No one can purchase the movie for 30 minutes.
- Someone always has to check the Scheduler runs and completes successfully.
Solution: Call the LAMBDA hosted in the Web App account (Account B) from (Account A) to Create a near real-time connection so the movie publishing and displaying on the web will be quick and ready for purchase.
Account A -Where the Lambda calling originates
1. Create an IAM Role in Account A:
- In the IAM console, create a new role.
- Choose the type of trusted entity as AWS service, and select Lambda as the use case.
- Attach a policy that allows the Lambda function to assume roles in the other account.
2. Assume the Role in Lambda Function:
- In your Lambda function code, use the AWS SDK to assume the role that was created in step 1.
- Obtain temporary security credentials (STS) after assuming the role.
3. Invoke Lambda in Account B:
- Use the temporary security credentials to invoke the Lambda function in Account B.
- Ensure the Lambda function in Account B has the necessary IAM role and policies allowing the invocation from Account A.
Account B - Where the Lambda is invoked
1. Create an IAM Role in Account B:
- In the IAM console, create a new role.
- Define a trust relationship that allows the role to be assumed by the account in which the Lambda function in Account A resides.
2. Define IAM Policies for Lambda Execution:
- Attach policies to the IAM role in Account B that allow the Lambda function to execute.
3. Configure Trust Relationship in Lambda Execution Role:
- Edit the trust relationship of the Lambda execution role to allow Account A's IAM role to assume the role.
4. Ensure Lambda Function Permissions:
- Ensure that the Lambda function in Account B has the necessary IAM role and policies allowing invocation by Account A.
By following the above steps, you establish secure cross-account access.
Note: Ensure that both accounts have the appropriate permissions and trust relationships configured.
Reference:
AWS Documentation
re:Post knowledge center
Top comments (0)