I want my Amazon Simple Storage Service (Amazon S3) bucket to invoke an AWS Lambda function in another AWS account.
Resolution
To set up your Amazon S3 bucket so that it invokes a Lambda function in another AWS account, complete the following steps:
- Update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3.
- Create an Amazon S3 Event Notification that invokes your Lambda function.
Important: The Lambda function must be in the same AWS Region as your S3 bucket.
For information on how to migrate functions, see How do I migrate a Lambda function to another AWS account or Region using the Lambda console?
Update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3
AWS Management Console
To update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3, complete the following steps:
- Open the Functions page on the Lambda console with the AWS account that your Lambda function is in.
- Choose the name of the Lambda function that you want to be invoked by Amazon S3.
- In the Configuration tab, choose Permissions.
- In the Resource-based policy pane, choose Add permissions.
- In the Policy statement pane, choose AWS service. The Service dropdown list appears.
- In the Service dropdown list, choose S3 to see more fields.
- For Statement ID, enter a unique statement ID to differentiate the statement that you create within the policy.
- For Source account, enter the AWS account ID of the account that hosts your S3 bucket.
- For Source ARN, enter your S3 bucket's ARN. Use the following format:
arn:aws:s3:::bucket_name
Note: Replace bucket_name with the name of your S3 bucket.
- For Action, select lambda:InvokeFunction from the dropdown list.
- Choose Save.
For more information, see Working with resource-based policies in Lambda.
AWS CLI
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Update your Lambda function's resource-based permissions policy to grant invoke permission to Amazon S3 with the add-permission API similar to the following:
aws lambda add-permission \--function-name LambdaFunction_name \
--action lambda:InvokeFunction \
--principal s3.amazonaws.com \
--source-arn arn:aws:s3:::bucket_name \
--source-account account-id \
--statement-id "unique_statement_ID"
Note: Replace LambdaFunction_name, bucket_name, and unique_statement_ID with your variables.
Create an Amazon S3 Event Notification that invokes your Lambda function
AWS Management Console
Follow the instructions to activate and configure Event Notifications using the Amazon S3 console.
AWS CLI
To create an Amazon S3 Event Notification that invokes your Lambda function use the put-bucket-notification-configuration command.
Important: Before you use the put-bucket-notification command, verify that you don't have any other Event Notifications configured on your S3 bucket. The put-bucket-notification-configuration command performs a replace operation on any existing notification configuration instead of an append.
To check if your bucket already has Event Notifications, run the following command:
aws s3api get-bucket-notification-configuration --bucket bucket_name
If the preceding command returns an empty JSON object or no response, then you have no existing Event Notification configuration. Create and save a new file called notification.json with the following configuration:
{
"LambdaFunctionConfigurations": [
{
"Id": "my-lambda-function-s3-event-configuration",
"LambdaFunctionArn": "LambdaFunction_ARN",
"Events": [ "s3:ObjectCreated:" ],
"Filter": {
"Key": {
"FilterRules": [
{
"Name": "prefix"|"suffix",
"Value": "string"
}
]
}
}
}
]
}
Note: Replace LambdaFunction_ARN with your Lambda function ARN. Replace the prefix and suffix with your variables for the filter rule.
If the get-bucket-notification-configuration returns an existing Event Notification configuration JSON, then save the existing JSON configuration as a file called notification.json. Add your new Lambda notification configuration to an existing LambdaFunctionConfigurations key or create a new key with the JSON syntax shown in the following example. Add the key to the notification.json file:
{
... # Non Lambda event configurations like SNS, SQS etc. ,
"LambdaFunctionConfigurations": [
{
"Id": "my-lambda-function-s3-event-configuration",
"LambdaFunctionArn": "LambdaFunction_ARN",
"Events": [ "s3:ObjectCreated:" ],
"Filter": {
"Key": {
"FilterRules": [
{
"Name": "prefix"|"suffix",
"Value": "string"
}
]
}
}
},
{...}, #Other pre-existing Lambda Function configurations
]
}
After you create the notification.json, run the following command to update your S3 Event Notification configuration:
aws s3api put-bucket-notification-configuration \
--bucket bucket_name \
--notification-configuration file://notification.json
Note: Replace bucket_name with the name of your S3 bucket.
Test the Lambda function
To test the Lambda function with the Lambda console, see Test your Lambda function with a dummy event. If your function isn't invoked by the Event Notification, then see Why doesn't my Amazon S3 Event Notification invoke my Lambda function?
Related information
How do I allow my Lambda function access to my Amazon S3 bucket?
Why do I get the error "Unable to validate the following destination configurations" when I create an Amazon S3 Event Notification?