EventBridge rule trigger step/lambda function from another account

Question

Hi,

I have two AWS account named A and B.
I want to create EventBridge rule on A that will run Lambda/Step Function on B, and on runtime I don't have access to B, only to A.

The problem with lambda function is that I can't define permissions from A to the Lambda function on B, that will allow to run the lambda using rule from A.

And for StepFunction, I need to define at the Rule creation a role that allow trigger the stepFunction on A, I added IAM Role with trust policy at account B that will allow to A to trigger stepFunction at B. but yet I get error that I cant do cross-account.

So how can I define permission to lambda on B from A? 
And how can I allow to A rule to run StepFunction on B?

Thank you

Jesus Bernal · Accepted Answer

When defining rules for cross-account event delivery, you can only use targets that support resource access policies. Thus, you can invoke a Lambda function in a different account but not a Step Functions workflow. You would need to trigger it using another Lambda function.

With the in mind, to invoke the function you need to configure permissions so:
1. The EventBridge rule on account A has an IAM execution role that allows to send events to the target on account B.
2. The target resource policy on account B must explicity allow receiving events for the aforementioned execution role on account A.

You can find further details in this [blog post](https://aws.amazon.com/blogs/compute/introducing-cross-account-targets-for-amazon-eventbridge-event-buses/), which covers cross-account deliver. It provides an example using Amazon SQS but it should be the same for Lambda functions.

EventBridge rule trigger step/lambda function from another account

Relevant content