1 Answer
- Newest
- Most votes
- Most comments
1
Hello.
I thought that if you don't need to process files, you don't need to use Lambda.
For example, if you configure cross-account S3 replication, files will be copied from account A to account B's S3 bucket.
Is there any reason to use Lambda?
The requirements for S3 replication are described in the following documents:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html
If you absolutely need access from Lambda, you need to create an Assum role.
- Create an IAM role in account B that can access account B's S3 bucket.
- Create an IAM role in account A so that Lambda can use the IAM role in account B.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::account B ID:role/IAM role name created in No.1"
}
}
- Set the following policy in the trust policy of the IAM role created in account B.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account A ID:role/IAM role name created in No.2"
},
"Action": "sts:AssumeRole"
}
]
}
- In the Lambda code, you can access the S3 bucket in account B by obtaining the access key for the Assum role as shown below.
import boto3
def lambda_handler(event, context):
sts_connection = boto3.client('sts')
acct_b = sts_connection.assume_role(
RoleArn="arn:aws:iam::222222222222:role/role-on-source-account",
RoleSessionName="cross_acct_lambda"
)
ACCESS_KEY = acct_b['Credentials']['AccessKeyId']
SECRET_KEY = acct_b['Credentials']['SecretAccessKey']
SESSION_TOKEN = acct_b['Credentials']['SessionToken']
# create service client using the assumed role credentials, e.g. S3
s3 = boto3.resource('s3',
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
aws_session_token=SESSION_TOKEN,
)
Relevant content
- asked 2 years ago
- asked 7 months ago
- asked 7 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 months ago
Thanks Riku. I want to crawl the dataset using AWS Glue Crawler using Data Present in Account A and use the crawler to setup some ETL. The data is actually is AWS Billing data (Cost and Usage Report) which can be updated upto 2-3 times a day. Thus wanted to setup a Lambda to copy data from Account A to Account B so that we have full control over the data in our env and do avoid egress. Do you have any other suggestion ? Thanks!