Help Allowing Lambda Invocation Across Multiple AWS Accounts Using CloudFormation

Question

Please Help

I have a Lambda function in **Account A** that I want to be used as a service token in **Account B** and invoked by **Account C **based on a certain role. I am using CloudFormation in YAML to set up this configuration.

**Requirements:**

Allow the Lambda function in Account A to be invoked by any entity in Account B.

Allow the Lambda function to be invoked by Account C only if the invoker assumes a specific role.

**I am looking for guidance and full sample Cloudformation YAML**  on how to correctly configure the permissions so that the above requirements are met. Specifically, I am not sure how to set up the policy statements to allow cross-account access as described.

**Additional Information**:

Account A: Holds the Lambda function.

Account B: Needs unrestricted access to invoke the Lambda function.

Account C: Can invoke the Lambda function only if a specific role is assumed.

Riku_Kobayashi · Accepted Answer

Hello.

In Account A's Lambda, use the Assume role for Account B's IAM role to obtain temporary credentials.  
I think the code provided in the following document will be helpful.  
I think you can access Lambda in account A using the IAM role in account B to access Lambda in account C using the method described in the document below.  
https://repost.aws/knowledge-center/lambda-function-assume-iam-role

Try setting the following policy in the resource-based policy located in AWS account C.  
By setting this, account B will be able to access account C's Lambda.  
```
{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "lambda-resource-policy",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam:::root"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:::function:"
    }
  ]
}
```

Help Allowing Lambda Invocation Across Multiple AWS Accounts Using CloudFormation

Add your answer

Relevant content