AWS - configure a Lambda function to assume a role from another AWS account

Repost from https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/

I need my AWS Lambda function to assume a role from another AWS account to perform a specific task. How can I configure that?

Short Description

You can give a Lambda function created in one account ("account A") permissions to assume a role from another account ("account B") to access resources such as an Amazon Simple Storage Service (Amazon S3) bucket, or to do tasks such as starting and stopping instances.
  • Execution role – The primary role in account A that gives the Lambda function permission to do its work.
  • Assumed role – A role in account B that the Lambda function in account A assumes to gain access to cross-account resources.
For more information, see AWS Lambda Permissions.

Resolution

1.    Attach this IAM policy to your Lambda function's execution role in account A to assume the role in account B:
Note: Replace 222222222222 with the AWS account ID of account B. Replace role-on-source-account with the name of the assumed role.
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::222222222222:role/role-on-source-account"
    }
}
2.    Modify the trust policy of the assumed role in account B to the following:
Note: Replace 111111111111 with the AWS account ID of account A. Replace my-lambda-executionrole-source-account with the name of the execution role.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/my-lambda-executionrole-source-account"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
3.    Update your Lambda function code to add the AWS Security Token Service (AWS STS) AssumeRole call. This call returns a set of credentials that you can use to create a service client. When using this client, your function has the permissions conferred to it by the assumed role, and it acts as if it belongs to account B.
For more information on using the assume_role call, see the Amazon Web Services (AWS) SDK for Python documentation.
This function code in Python is provided as-is. You can use it as an example for your own use case.
Note: Replace 222222222222 with the AWS account ID of account B. Replace role-on-source-account with the name of the assumed role.
import boto3

def lambda_handler(context, event):

    sts_connection = boto3.client('sts')
    acct_b = sts_connection.assume_role(
        RoleArn="arn:aws:iam::222222222222:role/role-on-source-account",
        RoleSessionName="cross_acct_lambda"
    )
    
    ACCESS_KEY = acct_b['Credentials']['AccessKeyId']
    SECRET_KEY = acct_b['Credentials']['SecretAccessKey']
    SESSION_TOKEN = acct_b['Credentials']['SessionToken']

    # create service client using the assumed role credentials, e.g. S3
    client = boto3.client(
        's3',
        aws_access_key_id=ACCESS_KEY,
        aws_secret_access_key=SECRET_KEY,
        aws_session_token=SESSION_TOKEN,
    )

    return "Hello from Lambda"

Comments

Post a Comment

Popular posts from this blog

Python: pickle and copyreg

multiprocessing must pickle things to sling them among processes, and bound methods are not picklable. The workaround (whether you consider it "easy" or not;-) is to add the infrastructure to your program to allow such methods to be pickled, registering it with the  copy_reg standard library method. Following is from the python doc The  copyreg  module offers a way to define functions used while pickling specific objects. The  pickle  and  copy  modules use those functions when pickling/copying those objects. The module provides configuration information about object constructors which are not classes. Such constructors may be factory functions or class instances. copyreg . constructor ( object ) Declares  object  to be a valid constructor. If  object  is not callable (and hence not valid as a constructor), raises  TypeError . copyreg . pickle ( type ,  function ,  constructor=None ) Declares that  ...
Read more

Swift: Codable

Image
From  https://hackernoon.com/everything-about-codable-in-swift-4-97d0e18a2999 As we are all aware, to support encoding and decoding of instances in iOS, a class must adopt the  NSCoding  protocol and implement its methods: init(coder:) — Returns an object initialized from data in a given unarchiver. encode(with:) — Encodes the receiver using a given archiver. Example: Code Snippet — 1 init(coder:)  and  encode(with:)  must contain the code for each property that needs to be encoded or decoded. 😲 Well, it seems that you have to write so much of redundant code πŸ˜– only with the property name changes.  Copy Paste..Copy Paste..!!!πŸ˜•πŸ˜΄ But why should I do that? πŸ™‡‍♀️ If the property names are same as the key names and I don’t have any specific requirements, why don’t  NSCoding  handle everything at its own end? 🀷‍♀️ Why do I have to write so much code? Noooooo..!!! 😼 OMG..!!! Another problem 🀦‍♀️. It doesn’t even ...
Read more

Java - Writing your own JUnit Rule

 Repost from  https://medium.com/@vanniktech/writing-your-own-junit-rule-3df41997b10c A JUnit Rule can be used to do some work around the execution of a test. One example would be to set up something before a test is running and then after it ran tearing something down. This is actually quite simple to do with JUnit itself. public class YourTest { @Before public void setUp() { // Do something before exampleTest starts. } @Test public void exampleTest() { // Your normal test. } @After public void tearDown() { // Do something after exampleTest finished. } } Now imagine you want to connect to a database during  setUp  and then close the connection in  tearDown . If you want to use that database in multiple files you don’t want to copy paste that code in every file. TestRule Let’s look at a quick example of a custom TestRule. public final class DatabaseRule implements TestRule { public Database database; @Override public Statement apply(f...
Read more