How can I use a Lambda function created in one AWS account with an AWS CloudFormation custom resource in another AWS account?
Last updated: 2021-02-15
I want to create an AWS Lambda function in one account, and then invoke that function from an AWS CloudFormation custom resource in another account.
You can invoke a Lambda function from a custom resource in a different account only if the Lambda function and the custom resource are in the same AWS Region. The ServiceToken property of AWS::CloudFormation::CustomResource must be in the same Region where you created your AWS CloudFormation stack. You must use a resource-based policy to grant the accounts with your custom resources permission to invoke your Lambda function.
Note: When you associate a Lambda function with a custom resource, the function is invoked whenever the custom resource is created, updated, or deleted. AWS CloudFormation calls a Lambda API to invoke the function and to pass all the request data to the function. For example, request data includes the request type and resource properties.
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
To grant your Lambda function access to your custom resource from another account (Account B), run the AWS CLI command add-permission in your primary account (Account A).
1. When a Lambda function is created through a stack in Account A, use the AWS::Lambda::Permission resource to grant permission to Account B.
2. In Account B, launch the AWS CloudFormation stack that contains your custom resource.
Note: Be sure that the ServiceToken refers to the Lambda function's Amazon Resource Name (ARN) from Account A. Include any additional properties to send to the custom resource as input.
3. Use Amazon CloudWatch Logs to confirm that your custom resource from Account B invoked your Lambda function in Account A.