I have two AWS account (A and B). On my account A, I have a lambda function which need to access to resources of account B. Precisely, my lambda on my account A, need to update a record in a Route53 zone hosted on my account B.
Contrary to S3, I don't see any resource access policy in Route53. So I'm a bit lost. I tried to play with IAM cross account roles, but that does not seems to work with lambda.
How can I allow a lambda function on an account A to access resources of my account B?
You can create a Role in account B and permit your User (in account A) to assume it.
- Create a Role in account A that will be used by your AWS Lambda function.
- Create a Role in account B with a role type of Role for Cross-Account Access. Assign the desired permissions to use Route 53 in account B. Also add permissions for the Role in account A to call
AssumeRoleon this role. - The Lambda function in account A can then call
AssumeRoleon the role in account B. This will return a set of temporary credentials that can be used to access Route 53 in account B.
See:
- Tutorial: Delegate Access Across AWS Accounts Using IAM Roles
- Creating a Role to Delegate Permissions to an IAM User
Here's a picture from the Tutorial:
来源:https://stackoverflow.com/questions/38128884/cross-account-role-for-an-aws-lambda-function