How do I invoke my Lambda function using a cross-account Kinesis stream?

Last updated: 2019-08-05

I want to invoke an AWS Lambda function using an Amazon Kinesis stream that's in another AWS account. How do I do that?

Short Description

Lambda doesn't currently support cross-account triggers from Kinesis or any stream-based sources.

As a workaround, you can use a "poller" Lambda function in the same account as the Kinesis stream (account A) to invoke a "processor" Lambda function in the other account (account B).

Warning: This configuration removes many of the benefits of using Kinesis Data Streams, such as sequential ordering and blocking of records within a shard. We recommend using this workaround only if your application doesn't need those features.

Resolution

Configure a Lambda function in account A

  1. Create a Lambda function in account A with an execution role.
    Note: You can create the function using the Lambda console, or by building and uploading your own deployment package.
  2. Give the execution role in account A permissions related to the Kinesis stream.
  3. Configure the Kinesis stream as the event source.
    Important: When you create the event source mapping, make sure that the Lambda function and the Kinesis stream are in the same account.

Configure a Lambda function in account B

  1. Create a Lambda function in account B with an execution role.
  2. Create an AWS Identity and Access Management (IAM) role in account B. This "invocation role" is assumed by the function in account A to invoke the function in account B.
  3. Modify the policy of the invocation role as follows:
    Give it permissions to invoke (using the lambda:InvokeFunction action) the Lambda function in the same account (account B).
    Edit the trust relationship to allow the execution role in account A to assume the invocation role.

For more information, see Identity-based IAM Policies for AWS Lambda and Creating a Role to Delegate Permissions to an AWS Service.

Update the configurations

  1. Modify the policy of the execution role in account A. Give it permissions to call the AssumeRole API (using the sts:AssumeRole action) to assume the execution role in account B. For more information, see Granting a User Permissions to Switch Roles.
  2. Update the code of your Lambda function in account A so that it does the following:
    Assumes the invocation role in account B. For more information and an example, see Switching to an IAM Role (AWS API).
    Passes the input event from function A to the function in account B by instantiating a service client and using the appropriate SDK method to request asynchronous invocation (invocation type Event).
    Note: To determine the SDK method to call, see the SDK documentation for your runtime.
  3. Configure a dead-letter queue (DLQ) for the function in account B. This allows you to investigate or retry any missed events in case of a function error.