Using CDK, how can I setup a Lambda in account A to trigger on a DynamoDB stream in account B?

Question

Hi,

I have a DynamoDB in account B that has a stream enabled. On account B, I have an IAM role with permissions that allow a lambda to be triggered on a stream event:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "APIAccessForDynamoDBStreams",
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:DescribeStream",
                "dynamodb:ListStreams"
            ],
            "Resource": "ARN TO DYNAMODB STREAM"
        }
    ]
}
```

This role has a trust policy to the Lambda's role in account A.

I can now setup an EventSourceMapping in CDK code to wire the DynamoDB stream (event) to the Lambda (target). Note that htis event source mapping is also in account A, not B (should it be in account B?)

```
    new EventSourceMapping(this, 'EventSourceMapping', {
      eventSourceArn:  'ARN TO DYNAMODB STREAM',
      target: this.workerLambda,
      batchSize: 1,
    });
```

However at this point, I'm not sure how I can get the Lambda in account A to assume the role in account B so it has permissions to be triggered. If this were the reverse direction, for eg. if I needed the Lambda to write to the DynamoDB table, I could simple assume the role in the Lambda code prior to executing the write in code. However there seems to be a gap in the direction I'm trying to develop?

How does the Lambda know to assume the role in account B for access to the DynamoDB stream with EventSourceMapping?

If this isn't possible, I'm thinking I might need to go DynamoDB stream -> EventBridge pipe -> SQS (all in account B). [Then the SQS can have an access policy that allows the Lambda in account A to access it?](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)

Accepted Answer

Answering my own question here. [The Lambda and DynamoDB table must be on the same account](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.Lambda.html) and cross-account triggers on DynamoDB streams is not yet supported.

While not ideal, we have decided to place the Lambda in the same account as the DynamoDB.

Answer

[DynamoDB Streams and AWS Lambda triggers](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.Lambda.html) states the following: 
> You cannot use the same Lambda trigger across different AWS accounts. Both the DynamoDB table and the Lambda functions must belong to the same AWS account.

While this is true, there is a simple work-around which requires 1 extra Lambda. In Account A where the table is placed, have a Lambda consume from the stream, this Lambda will simply invoke a Lambda in Account B. There is a slight bit of latency included, however, you can achieve the same semantics as DynamoDB Stream directly invoking a Lambda in Account B.

`DynamoDB CRUD` -> `Stream` -> `Lambda Acc A` -> `Lambda Acc B`

Using CDK, how can I setup a Lambda in account A to trigger on a DynamoDB stream in account B?

関連するコンテンツ