By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Handling STS Session Token in step function with multiple Lambda

0

Hi,

I have 3 lambda functions to process data from multiple accounts. Each Lambda is like a step in the overall process. It means Lambda 1 (Output) will be (input) to Lambda 2.

I have a step function that takes care of the sequence of the lambda function.

Here is the User case of one account.

    • Lambda 1 -- Read the list of all aws_accounts from the given parent aws_account and return JSON payload.
    • Lambda 2 -- Reads all IAM Roles information from each aws_account and returns JSON payload.
    • Lambda 3 -- Reads all IAM_Roles (in the loop) from previous steps and returns a list of policies in each IAM Role as JSON payload.

We have an IAM role in the parent account which has all the necessary access to read all data. I am assuming the IAM role to generate an access token to read data in each Lambda.

The same access token can be used in all functions in all 3 lambda. How can I pass an access token from one lambda to another lambda? OR How can I have a common class which will return a token and uses it in all 3 lambdas? I am trying to avoid generating access tokens 3 times for each lambda separately.

Please suggest. I am a newbie to Lambda functions.

Topics
ServerlessApplication IntegrationComputeSecurity, Identity, & Compliance
Tags
ServerlessAWS Step FunctionsAWS LambdaAWS Identity and Access Management
Language
English
snowcoder_07
asked 9 months ago337 views
2 Answers
1

There are two many steps to describe here in detail. Here is a great article that helped me with this situation: https://medium.com/@tturnbull/passing-data-between-lambdas-with-aws-step-functions-6f8d45f717c3

Hope this helps, if so please accept this answer.

profile picture
Bryant Pollard
answered 9 months ago
  • snowcoder_07
    9 months ago

    Hi @Bryant Thanks for your response. I already use the event to pass the data from one lambda to another in the Step function. But I am more interested in sharing the STS token and do not want to pass it with output as this will be logged in the state machine logs.

0

Hi, They are multiple security / compliance reasons why you don't want to share such STS token: traceability, least privilege, etc.

So, why don't you individually grant each Lambda of your Step Function the rights to do what it needs to do in a role specific to this Lambda?

You will probably be much better of by going on this path.

This short article provides good guidance on this approach: https://serverlessland.com/content/service/lambda/guides/aws-lambda-operator-guide/specialized-all-purpose

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 9 months ago
  • snowcoder_07
    9 months ago

    @Didier Thanks for the quick response. In my current design, I generate separate tokens within the individual lambda. I wasen't sure if that is best practice or if should I consider any other approach of creating a common class and use it in each lambda.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content