By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How can I use a Lambda function created in one AWS account with an AWS CloudFormation custom resource in another AWS account?

2 minute read
0

I want to create an AWS Lambda function in one account, and then invoke that function from an AWS CloudFormation custom resource in another account.

Short description

You can invoke a Lambda function from a custom resource in another account only if the function and resource are in the same AWS Region. The ServiceToken property of AWS::CloudFormation::CustomResource must be in the same Region where you created your AWS CloudFormation stack. You must use a resource-based policy to grant the accounts with your custom resources permission to invoke your Lambda function.

Note: When you associate a Lambda function with a custom resource, the custom resource invokes the function whenever it is created, updated, or deleted. CloudFormation calls a Lambda API to pass all the request data, such as request type and resource properties, to the function.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Run the AWS CLI add-permission command in your primary account (Account A). The command gives the Lambda function access to the custom resource in another account (Account B).

-or-

Use the AWS::Lambda::Permission resource to grant Account B permission to invoke the Lambda function in Account A:

  1. When a Lambda function is created through a stack in Account A, use the AWS::Lambda::Permission resource to grant permission to Account B.
  2. In Account B, launch the AWS CloudFormation stack that contains your custom resource.
    Note: Be sure that the ServiceToken refers to the Lambda function's Amazon Resource Name (ARN) from Account A. Include any additional properties to send to the custom resource as input.
  3. Use Amazon CloudWatch Logs to confirm that your custom resource from Account B invoked your Lambda function in Account A.

Related information

Granting function access to other accounts

AWS OFFICIAL
AWS OFFICIALUpdated 4 years ago