I want to create an AWS Lambda function in one account, and then invoke that function from an AWS CloudFormation custom resource in another account.
Short description
You can invoke a Lambda function from a custom resource in another account only if the function and resource are in the same AWS Region. The ServiceToken property of AWS::CloudFormation::CustomResource must be in the same Region where you created your AWS CloudFormation stack. You must use a resource-based policy to grant the accounts with your custom resources permission to invoke your Lambda function.
Note: When you associate a Lambda function with a custom resource, the custom resource invokes the function whenever it is created, updated, or deleted. CloudFormation calls a Lambda API to pass all the request data, such as request type and resource properties, to the function.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Run the AWS CLI add-permission command in your primary account (Account A). The command gives the Lambda function access to the custom resource in another account (Account B).
-or-
Use the AWS::Lambda::Permission resource to grant Account B permission to invoke the Lambda function in Account A:
- When a Lambda function is created through a stack in Account A, use the AWS::Lambda::Permission resource to grant permission to Account B.
- In Account B, launch the AWS CloudFormation stack that contains your custom resource.
Note: Be sure that the ServiceToken refers to the Lambda function's Amazon Resource Name (ARN) from Account A. Include any additional properties to send to the custom resource as input.
- Use Amazon CloudWatch Logs to confirm that your custom resource from Account B invoked your Lambda function in Account A.
Related information
Granting function access to other accounts