Using CDK, how can I setup a Lambda in account A to trigger on a DynamoDB stream in account B?

Hi,

I have a DynamoDB in account B that has a stream enabled. On account B, I have an IAM role with permissions that allow a lambda to be triggered on a stream event:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "APIAccessForDynamoDBStreams",
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:DescribeStream",
                "dynamodb:ListStreams"
            ],
            "Resource": "ARN TO DYNAMODB STREAM"
        }
    ]
}

This role has a trust policy to the Lambda's role in account A.

I can now setup an EventSourceMapping in CDK code to wire the DynamoDB stream (event) to the Lambda (target). Note that htis event source mapping is also in account A, not B (should it be in account B?)

    new EventSourceMapping(this, 'EventSourceMapping', {
      eventSourceArn:  'ARN TO DYNAMODB STREAM',
      target: this.workerLambda,
      batchSize: 1,
    });

However at this point, I'm not sure how I can get the Lambda in account A to assume the role in account B so it has permissions to be triggered. If this were the reverse direction, for eg. if I needed the Lambda to write to the DynamoDB table, I could simple assume the role in the Lambda code prior to executing the write in code. However there seems to be a gap in the direction I'm trying to develop?

How does the Lambda know to assume the role in account B for access to the DynamoDB stream with EventSourceMapping?

If this isn't possible, I'm thinking I might need to go DynamoDB stream -> EventBridge pipe -> SQS (all in account B). Then the SQS can have an access policy that allows the Lambda in account A to access it?