How do I set up a cross-account AWS Lambda subscription with an SNS topic?

4 minute read
0

I want to subscribe my AWS Lambda function to an Amazon Simple Notification Service (Amazon SNS) topic in another account.

Short description

Using the Amazon SNS console, add a cross-account AWS Lambda subscription to an Amazon SNS topic.

Resolution

Prerequisite

Before you begin, make sure that:

  • the Lambda function resource policy allows SNS to invoke the function.
  • the SNS topic access policy allows Lambda to subscribe to the topic.

Note: The SNS topic resides in account A and the Lambda function resides in account B.

Subscribe a cross-account Lambda function

There are two possible ways to subscribe a cross-account Lambda function to an SNS topic:

  • Add an SNS trigger from the Lambda console in account B
  • Add Lambda subscription from the SNS console in account B (the account with the Lambda function)

Create the resources

Create an SNS topic in account A:

  1. Open Amazon SNS console, and then select Topics on the left panel.
  2. Choose Create topic, select Topic type, and then enter Topic name.
  3. Scroll down and choose Create Topic.

Allow account B to perform subscribe action on the topic.

  1. Edit the topic access policy to grant account B sns:Subscribe permission.
  2. Add the policy statement shown below and Save:
{
  "Sid": "Allow-AccountB-To-Subscribe",
  "Effect": "Allow",
  "Principal": {
    "AWS": ""
  },
  "Action": "sns:Subscribe",
  "Resource": ""
}

Note: For Principal, replace <AccountB> with your account number that has the Lambda function. For the Resource field, replace <SNSTopicARN> with your Amazon Resource Name (ARN) of the SNS topic.

Create a Lambda function in account B:

  1. Open the Function page on the AWS Lambda console. Then, choose Create function.
  2. Enter a Function name.
  3. For Execution role, choose Create a new role with basic Lambda permissions. Lambda creates an execution role that grants the function permission to upload logs to Amazon CloudWatch.
  4. Scroll down and choose the Create function button.

Subscribe a Lambda function by adding a trigger on Lambda console (option 1)

  1. Open the Function page on the AWS Lambda console and select the function that you created earlier.
  2. Choose the Add Trigger button.
  3. On the Trigger configuration page, select SNS from the dropdown list.
  4. On SNS Topic field, paste the topic ARN.
  5. Select the Add button.

The SNS topic in account A can now invoke your Lambda function in account B.

Test the configuration

Test by publishing a message to the SNS topic.
Note: When you add the trigger from the Lambda console, Lambda automatically adds the necessary permissions for Amazon SNS to invoke your Lambda function from this trigger.

Subscribe a Lambda function by adding a subscription from the SNS console (option 2)

This option requires you to explicitly grant the SNS service principal permission to perform lambda:InvokeFunction action.

Allow the SNS service principal to invoke the Lambda function.

On the Lambda console's Functions page, select the function that you created earlier. Then complete the following steps:

  1. Choose the Configuration tab and then choose Permissions.
  2. Scroll down to the Resource-based policy section. Then, choose the Add Permissions button.
  3. Select AWS Service and choose SNS from the dropdown list. Then, populate the fields:
    For Statement ID set it to AllowSNSToInvokeFunction
    For Source ARN paste the ARN of the SNS topic created earlier
    For Action choose lambda:InvokeFunction
  4. Choose Save.
  5. Create the SNS subscription for Lambda.

From account B, open the Amazon SNS console.

  1. On the left panel, choose Subscriptions.
  2. Choose the Create Subscription button.
  3. Paste the ARN of the SNS topic from account A in the Topic ARN field.
  4. Select AWS Lambda from the Protocol dropdown list.
  5. Paste the ARN of the Lambda function on the Endpoint field
  6. Scroll down and choose the Create subscription button.

Note: Make sure that you subscribe your Lambda function to the SNS topic from the AWS account that has the Lambda function (account B). If you try to create the subscription from the account that has the SNS topic (account A), you get the following error:

Error code: AccessDeniedException - Error message: User: arn:aws:sts::XXXXXXX:XXXXXXX/XXXXX/XXXXXX is not authorized to perform: lambda:AddPermission on resource: arn:aws:lambda:region:XXXXXXX:function:XXXXXXX

Related information

Using AWS Lambda with Amazon Simple Notification Service

Why do I get an authorization error when I try to subscribe my Lambda function to my Amazon SNS topic?

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago