AWS Cross-Account Lambda Invocation: A Complete Guide

Yasiru Rasanjaya -

When building serverless applications, you may encounter scenarios requiring AWS Lambda functions to be invoked across different AWS accounts. Cross-account Lambda invocation can be a powerful tool for organizations that manage multiple AWS accounts and want to facilitate secure and efficient inter-account communication. This article explores how to configure cross-account Lambda invocation, focusing on IAM permissions and best practices.

What is Cross-Account Lambda Invocation?

Cross-account Lambda invocation enables an AWS Lambda function in one account (referred to as the invoking account) to invoke a Lambda function in another account (the target account). This setup is useful for scenarios like centralized logging, shared services, or data aggregation across accounts.

Prerequisites

Before diving into the implementation, ensure you meet the following requirements:

  1. Two AWS accounts:
    • Account A (Invoking Account): Contains the Lambda function or service initiating the invocation.
    • Account B (Target Account): Contains the Lambda function to be invoked.
  2. IAM Roles and Policies: Properly configured IAM roles and policies in both accounts.
  3. AWS CLI or Management Console: To configure resources.
  4. Basic Lambda Knowledge: Familiarity with AWS Lambda and IAM.

Step-by-Step Implementation

1. Create the Target Lambda Function (Account B)

  1. Log in to Account B and navigate to the Lambda service.
  2. Create a new Lambda function or choose an existing one.
  3. Note the Amazon Resource Name (ARN) of the Lambda function (e.g., arn:aws:lambda:us-east-1:123456789012:function:TargetLambda).

2. Add a Resource-Based Policy to the Target Lambda Function

A resource-based policy allows the Lambda function in Account B to be invoked by resources or services in Account A.

  1. Navigate to the Configuration tab of the target Lambda function in Account B.
  2. Under Permissions, click Add > Add inline policy.
  3. Add the following policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:role/InvokingLambdaRole"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:TargetLambda"
    }
  ]
}

Replace:

  • 111111111111 with the AWS account ID of Account A.
  • InvokingLambdaRole with the IAM role used by the invoking Lambda function.
  • arn:aws:lambda:us-east-1:123456789012:function:TargetLambda with your target Lambda function's ARN.

3. Create the Invoking Lambda Function (Account A)

  1. Log in to Account A and navigate to the Lambda service.
  2. Create a new Lambda function or use an existing one.
  3. Attach an IAM role to this function with permissions to invoke the target Lambda in Account B.

4. Update the IAM Role in Account A

The IAM role in Account A must include permissions to invoke the target Lambda function. Attach the following policy to the IAM role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:TargetLambda"
    }
  ]
}

Replace arn:aws:lambda:us-east-1:123456789012:function:TargetLambda with the target Lambda function's ARN.

5. Invoke the Target Lambda Function

In the invoking Lambda function (Account A), add code to invoke the target Lambda function using the AWS SDK:

Example (Node.js):

const AWS = require('aws-sdk');
const lambda = new AWS.Lambda();

exports.handler = async (event) => {
  const params = {
    FunctionName: 'arn:aws:lambda:us-east-1:123456789012:function:TargetLambda',
    InvocationType: 'RequestResponse', // or 'Event' for asynchronous invocation
    Payload: JSON.stringify(event)
  };

  try {
    const response = await lambda.invoke(params).promise();
    console.log('Invocation response:', response);
    return response;
  } catch (error) {
    console.error('Error invoking Lambda:', error);
    throw error;
  }
};

6. Test the Setup

  1. Trigger the invoking Lambda function in Account A.
  2. Check the logs of the target Lambda function in Account B to confirm it was invoked successfully.

Security Best Practices

  1. Principle of Least Privilege: Limit the IAM roles and policies to only what is required.
  2. Resource-Based Policy Restrictions: Use condition keys like "aws:SourceArn" or "aws:SourceAccount" to restrict access.
  3. Monitoring and Auditing: Enable CloudTrail to log Lambda invocation events across accounts.
  4. Encryption: Use AWS Key Management Service (KMS) to encrypt sensitive data between Lambda functions.

Troubleshooting

  1. Access Denied Errors:
    • Verify IAM role permissions in Account A.
    • Check the resource-based policy in Account B.
  2. Invocation Failures:
    • Confirm the ARN of the target Lambda function is correct.
    • Check for throttling issues and ensure proper retry mechanisms.

Conclusion

Cross-account Lambda invocation is a powerful capability that can streamline operations across AWS accounts. You can ensure secure and efficient communication between Lambda functions by carefully configuring IAM roles and resource-based policies. Remember to follow security best practices and monitor your implementation for optimal performance.