How do I invoke my Lambda function using a cross-account Kinesis stream?
Last updated: 2019-08-05
I want to invoke an AWS Lambda function using an Amazon Kinesis stream that's in another AWS account. How do I do that?
Lambda doesn't currently support cross-account triggers from Kinesis or any stream-based sources.
As a workaround, you can use a "poller" Lambda function in the same account as the Kinesis stream (account A) to invoke a "processor" Lambda function in the other account (account B).
Warning: This configuration removes many of the benefits of using Kinesis Data Streams, such as sequential ordering and blocking of records within a shard. We recommend using this workaround only if your application doesn't need those features.
Configure a Lambda function in account A
- Create a Lambda function in account A with an execution role.
Note: You can create the function using the Lambda console, or by building and uploading your own deployment package.
- Give the execution role in account A permissions related to the Kinesis stream.
- Configure the Kinesis stream as the event source.
Important: When you create the event source mapping, make sure that the Lambda function and the Kinesis stream are in the same account.
Configure a Lambda function in account B
- Create a Lambda function in account B with an execution role.
- Create an AWS Identity and Access Management (IAM) role in account B. This "invocation role" is assumed by the function in account A to invoke the function in account B.
- Modify the policy of the invocation role as follows:
Give it permissions to invoke (using the lambda:InvokeFunction action) the Lambda function in the same account (account B).
Edit the trust relationship to allow the execution role in account A to assume the invocation role.
For more information, see Identity-based IAM Policies for AWS Lambda and Creating a Role to Delegate Permissions to an AWS Service.
Update the configurations
- Modify the policy of the execution role in account A. Give it permissions to call the AssumeRole API (using the sts:AssumeRole action) to assume the execution role in account B. For more information, see Granting a User Permissions to Switch Roles.
- Update the code of your Lambda function in account A so that it does the following:
Assumes the invocation role in account B. For more information and an example, see Switching to an IAM Role (AWS API).
Passes the input event from function A to the function in account B by instantiating a service client and using the appropriate SDK method to request asynchronous invocation (invocation type Event).
Note: To determine the SDK method to call, see the SDK documentation for your runtime.
- Configure a dead-letter queue (DLQ) for the function in account B. This allows you to investigate or retry any missed events in case of a function error.