- Newest
- Most votes
- Most comments
-
Lambda execution role(Account A) should have access to assumerole(Account B role Where Athena tables exist)
-
Account B role should have trust relationship for Account A and lambda as service.
-
Account B role should have access to S3 bucket(where query results get saved)
-
Once lambda in Account A assumes Account B role inside code through sdk/boto3, those returned credentials would be used to query athena in Account B and for other resource access in Account A, lambda execution role would still be used.
Code snippet in lambda should like like something as below but can be tweaked per requirement:
sts_connection = boto3.client('sts')
assume_role_account_a = sts_connection.assume_role( RoleArn="arn:aws:iam::AccountB:role/CrossAccountAthenaAccess-Role", RoleSessionName="cross_acct_athena" )
I'd suggest you to follow this Knowledge Article step by step, it would certainly help you to understand how would lambda assume role of other AWS account.
On your other question, if Athena has any resource policy like S3, so the answer is No, athena is a server less querying service. Refer this Documetation, where it's clearly mentioned that Athena doesn't support resource based policies.
If you want to practice Lambda Cross Account IAM Assumption beforehand, take a look at this Well Architected Lab.
Relevant content
- asked 9 months ago
- asked 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 months ago