How do I set up Amazon S3 event notifications to invoke a Lambda function that's in another AWS account?

4 分的閱讀內容
0

I want my Amazon Simple Storage Service (Amazon S3) bucket to invoke an AWS Lambda function in another AWS account.

Short description

To have your Amazon S3 bucket invoke a Lambda function in another AWS account, do the following:

1.    Update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3.

2.    Create an Amazon S3 event notification that invokes your Lambda function.

Important: The Lambda function must be in the same AWS Region as your S3 bucket. For information on migrating functions, see How do I migrate a Lambda function to another AWS account or Region using the Lambda console?

Resolution

Note: You must have the following information to complete this procedure:

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3

AWS Management Console

1.    Open the Functions page on the Lambda console using the AWS account that your Lambda function is in.

2.    Choose the name of the Lambda function that you want to be invoked by Amazon S3.

3.    In the Configuration tab, choose Permissions.

4.    In the Resource-based policy pane, choose Add permissions.

5.    In the Policy statement pane, choose AWS service. The Service dropdown list appears.

6.    In the Service dropdown list, choose S3. More text fields appear.

7.    For Source account, enter the AWS account ID of the account that's hosting your S3 bucket.

8.    For Source ARN, enter your S3 bucket's ARN. Use the following format:

Note: Replace bucket_name with the name of your S3 bucket.

arn:aws:s3:::bucket_name

9.    For Action, select lambda:InvokeFunction from the dropdown list.

10.    For Statement ID, enter a unique statement ID to differentiate the statement that you're creating within the policy.

11.    Choose Save.

For more information, see Using resource-based policies for AWS Lambda.

AWS CLI

Update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3 using the add-permission API similar to the following:

aws lambda add-permission \
--function-name LambdaFunction_name \
--action lambda:InvokeFunction \
--principal s3.amazonaws.com \
--source-arn arn:aws:s3:::bucket_name \
--statement-id "unique_statement_ID"

Note: Replace LambdaFunction_name, bucket_name, and unique_statement_ID with your variables.

Create an Amazon S3 event notification that invokes your Lambda function

AWS Management Console

Follow the instructions to activate and configure event notifications using the Amazon S3 console.

AWS CLI

Create an Amazon S3 event notification that invokes your Lambda function using the put-bucket-notification-configuration API similar to the following:

Note: Replace bucket_name with the name of your S3 bucket.

aws s3api put-bucket-notification-configuration \
--bucket bucket_name \
--notification-configuration file://notification.json

Create and save the notification.json file similar to the following:

Note: Replace LambdaFunction_ARN with your Lambda function ARN. Replace the prefix and suffix with your variables for the filter rule.

{
"LambdaFunctionConfigurations": [
    {
      "Id": "my-lambda-function-s3-event-configuration",
      "LambdaFunctionArn": "LambdaFunction_ARN",
      "Events": [ "s3:ObjectCreated:*" ],
      "Filter": {
        "Key": {
          "FilterRules": [
            {
              "Name": "prefix"|"suffix",
              "Value": "string"
            }
          ]
        }
      }
    }
  ]
}

Testing the Lambda function

Follow the instructions to test the Lambda function using the Lambda console.

If your function isn't invoked by the event notification, then follow the instructions in Why doesn't my Amazon S3 event notification invoke my Lambda function?


Related information

How do I allow my Lambda execution role to access my Amazon S3 bucket?

AWS 官方
AWS 官方已更新 1 年前
2 評論

Caution should be used when using the solution presented in this article. If the bucket already has event notifications, using this solution to create a new notification will clear existing notifications. put-bucket-notification-configuration doesn't append. It replaces with what is specified in the notification.json file.

Manu
回答 10 天前

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
管理員
回答 9 天前