- Newest
- Most votes
- Most comments
To troubleshoot and set up cross-account and cross-region access to an SNS topic, follow these steps:
1. IAM Role in Account B: Ensure that the IAM role in Account B, which has permissions to publish to the SNS topic, has a trust relationship allowing the Lambda function's role in Account A to assume it. The trust policy should look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-A-ID>:role/<Lambda-Role-Name>"
},
"Action": "sts:AssumeRole"
}
]
}
2. Permissions Policy for the Role in Account B: Ensure that the role in Account B has the necessary permissions to publish to the SNS topic:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:eu-west-1:<Account-B-ID>:<SNS-Topic-Name>"
}
]
}
3. Lambda Function's IAM Role in Account A: Ensure that the Lambda function's role in Account A has the necessary permissions to assume the role in Account B and to publish to the SNS topic:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<Account-B-ID>:role/<Role-Name-in-Account-B>"
},
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:eu-west-1:<Account-B-ID>:<SNS-Topic-Name>"
}
]
}
4. SNS Topic Policy: Ensure that the SNS topic in Account B has a policy allowing the role from Account A to publish to it. The SNS topic policy should look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-B-ID>:role/<Role-Name-in-Account-B>"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:eu-west-1:<Account-B-ID>:<SNS-Topic-Name>"
}
]
}
5. Lambda Code to Assume the Role: In your Lambda function in Account A, you need to assume the role in Account B before publishing to the SNS topic. Here's an example of how you might do this in Python using Boto3:
import boto3
def lambda_handler(event, context):
# Assume the role in Account B
sts_client = boto3.client('sts')
assumed_role = sts_client.assume_role(
RoleArn='arn:aws:iam::<Account-B-ID>:role/<Role-Name-in-Account-B>',
RoleSessionName='AssumeRoleSession'
)
# Use the temporary credentials to create an SNS client
credentials = assumed_role['Credentials']
sns_client = boto3.client(
'sns',
region_name='eu-west-1',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken']
)
# Publish to the SNS topic
response = sns_client.publish(
TopicArn='arn:aws:sns:eu-west-1:<Account-B-ID>:<SNS-Topic-Name>',
Message='Your message'
)
return response
Ensure you replace placeholders (<Account-A-ID>, <Account-B-ID>, <Lambda-Role-Name>, <Role-Name-in-Account-B>, <SNS-Topic-Name>, etc.) with your actual values. This setup should help you resolve the permissions errors and successfully publish to the SNS topic in Account B from the Lambda function in Account A.
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
Thank you for your answer, it was clear and helpful! It's working for me now, I did not realise I had to assume the role within the lambda using STS. It is surprising that the trust relationship and roles are not enough.