How do I set up an Amazon S3 Event Notification to invoke a Lambda function that's in another AWS account?

5 minute read
0

I want my Amazon Simple Storage Service (Amazon S3) bucket to invoke an AWS Lambda function in another AWS account.

Resolution

To set up your Amazon S3 bucket so that it invokes a Lambda function in another AWS account, complete the following steps:

  1. Update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3.
  2. Create an Amazon S3 Event Notification that invokes your Lambda function.

Important: The Lambda function must be in the same AWS Region as your S3 bucket.

For information on how to migrate functions, see How do I migrate a Lambda function to another AWS account or Region using the Lambda console?

Update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3

AWS Management Console

To update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3, complete the following steps:

  1. Open the Functions page on the Lambda console with the AWS account that your Lambda function is in.
  2. Choose the name of the Lambda function that you want to be invoked by Amazon S3.
  3. In the Configuration tab, choose Permissions.
  4. In the Resource-based policy pane, choose Add permissions.
  5. In the Policy statement pane, choose AWS service. The Service dropdown list appears.
  6. In the Service dropdown list, choose S3 to see more fields.
  7. For Statement ID, enter a unique statement ID to differentiate the statement that you create within the policy.
  8. For Source account, enter the AWS account ID of the account that hosts your S3 bucket.
  9. For Source ARN, enter your S3 bucket's ARN. Use the following format:
    arn:aws:s3:::bucket_name
    Note: Replace bucket_name with the name of your S3 bucket.
  10. For Action, select lambda:InvokeFunction from the dropdown list.
  11. Choose Save.

For more information, see Working with resource-based policies in Lambda.

AWS CLI

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3 with the add-permission API similar to the following:

aws lambda add-permission \--function-name LambdaFunction_name \
--action lambda:InvokeFunction \
--principal s3.amazonaws.com \
--source-arn arn:aws:s3:::bucket_name \
--source-account account-id \
--statement-id "unique_statement_ID"

Note: Replace LambdaFunction_name, bucket_name, and unique_statement_ID with your variables.

Create an Amazon S3 Event Notification that invokes your Lambda function

AWS Management Console

Follow the instructions to activate and configure Event Notifications using the Amazon S3 console.

AWS CLI

To create an Amazon S3 Event Notification that invokes your Lambda function use the put-bucket-notification-configuration command.

Important: Before you use the put-bucket-notification command, verify that you don't have any other Event Notifications configured on your S3 bucket. The put-bucket-notification-configuration command performs a replace operation on any existing notification configuration instead of an append.

To check if your bucket already has Event Notifications, run the following command:

aws s3api get-bucket-notification-configuration --bucket bucket_name

If the preceding command returns an empty JSON object or no response, then you have no existing Event Notification configuration. Create and save a new file called notification.json with the following configuration:

{
"LambdaFunctionConfigurations": [
    {
      "Id": "my-lambda-function-s3-event-configuration",
      "LambdaFunctionArn": "LambdaFunction_ARN",
      "Events": [ "s3:ObjectCreated:" ],
      "Filter": {
        "Key": {
          "FilterRules": [
            {
              "Name": "prefix"|"suffix",
              "Value": "string"
            }
          ]
        }
      }
    }
  ]
}

Note: Replace LambdaFunction_ARN with your Lambda function ARN. Replace the prefix and suffix with your variables for the filter rule.

If the get-bucket-notification-configuration returns an existing Event Notification configuration JSON, then save the existing JSON configuration as a file called notification.json. Add your new Lambda notification configuration to an existing LambdaFunctionConfigurations key or create a new key with the JSON syntax shown in the following example. Add the key to the notification.json file:

{
... # Non Lambda event configurations like SNS, SQS etc. ,
"LambdaFunctionConfigurations": [
    {
      "Id": "my-lambda-function-s3-event-configuration",
      "LambdaFunctionArn": "LambdaFunction_ARN",
      "Events": [ "s3:ObjectCreated:" ],
      "Filter": {
        "Key": {
          "FilterRules": [
            {
              "Name": "prefix"|"suffix",
              "Value": "string"
            }
          ]
        }
      }
    },
    {...}, #Other pre-existing Lambda Function configurations
  ]
}

After you create the notification.json, run the following command to update your S3 Event Notification configuration:

aws s3api put-bucket-notification-configuration \
--bucket bucket_name \
--notification-configuration file://notification.json

Note: Replace bucket_name with the name of your S3 bucket.

Test the Lambda function

To test the Lambda function with the Lambda console, see Test your Lambda function with a dummy event. If your function isn't invoked by the Event Notification, then see Why doesn't my Amazon S3 Event Notification invoke my Lambda function?

Related information

How do I allow my Lambda function access to my Amazon S3 bucket?

Why do I get the error "Unable to validate the following destination configurations" when I create an Amazon S3 Event Notification?

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
2 Comments

Caution should be used when using the solution presented in this article. If the bucket already has event notifications, using this solution to create a new notification will clear existing notifications. put-bucket-notification-configuration doesn't append. It replaces with what is specified in the notification.json file.

Manu
replied 7 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 7 months ago