I am following the next blog post from Amazon (scenario 3: launching the Lambda function from the Amazon S3 Buzz notification in another account) about authorizing Lambda functions for various purposes. I would like to configure the Lambda function to receive SNS messages from external accounts (external to acct with lambda function).
https://aws.amazon.com/blogs/compute/easy-authorization-of-aws-lambda-functions/
I was expecting to add permission to call the function remotely as follows:
$ aws lambda add-permission \ --function-name MyFunction \ --region us-west-2 \ --statement-id Id-123 \ --action "lambda:InvokeFunction" \ --principal sns.amazonaws.com \ --source-arn arn:aws:sns:::<topic name> \ --source-account <account number> \ --profile adminuser
Then I tried to navigate to the SNS topic and set Lambda as the endpoint and enter the remote ARN for the lambda function in the first account. This does not work as well as the endpoint expects arn for a function in the account ...
Plan B: Try creating a subscription through the CLI to get around the limitation in the console ...
aws sns --profile adminuser \ --region us-west-2 subscribe --topic-arn arn:aws:sns:us-west-2:<account #>:<topic name> --protocol lambda --notification-endpoint arn:aws:lambda:us-west-2:<account id>:function:<lambda function name>
Answer:
A client error (AuthorizationError) occurred when calling the Subscribe operation: The account <account id> is not the owner of the lambda function arn:aws:lambda:us-west-2:<account id>:function:<function name>
Could anyone call Lambda Function from SNS "remote" in another account? I'm a little fixated on where I might have made a mistake ... Based on a blog post, I fully expected the remote SNS to work:
Note: Amazon SNS (Simple Notification Service) events sent to Lambda works the same way, with "sns.amazonaws.com" replacing "s3.amazonaws.com" as the principal.
source share