如何使用 AWS SAM 将基于资源的策略添加到 lambda

Question

I want to create a deployment script for some lambda functions using AWS SAM. Two of those functions will be deployed into one account(account A) but will be triggered by an s3 bucket object creation event in a second account(account B). From what I know the only way to do this is by using adding a resource based policy to my lambda. But I don't know how to do that in AWS SAM. My current yaml file looks like this.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  deploy-test-s3-triggered-lambda

Parameters:
  AppBucketName:
    Type: String
    Description: "REQUIRED: Unique S3 bucket name to use for the app."

Resources:
  S3TriggeredLambda:
    Type: AWS::Serverless::Function
    Properties: 
      Role: arn:aws:iam::************:role/lambda-s3-role
      Handler: src/handlers/s3-triggered-lambda.invokeAPI
      CodeUri: src/handlers/s3-triggered-lambda.js.zip
      Runtime: nodejs10.x
      MemorySize: 128
      Timeout: 60
      Policies:
        S3ReadPolicy:
          BucketName: !Ref AppBucketName
      Events:
        S3NewObjectEvent:
          Type: S3
          Properties:
            Bucket: !Ref AppBucket
            Events: s3:ObjectCreated:*
  AppBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref AppBucketName

What do I need to add to this yaml file in order to tie a resource based policy that allows for cross account access to my lambda function?

Answer 1

This can be done achieved with the help of AWS::Lambda::Permission using aws_cdk.aws_lambda.CfnPermission .

For example, to allow your lambda to be called from a role in another account, add the following to your CDK:

from aws_cdk import aws_lambda

aws_lambda.CfnPermission(
    scope,
    "CrossAccountInvocationPermission",
    action="lambda:InvokeFunction",
    function_name="FunctionName",
    principal="arn:aws:iam::111111111111:role/rolename",
)

Answer 2

If your bucket and your Lambda function exist in separate accounts I don't know if it's possible to modify both of them from SAM / a single CloudFormation template.

Answer 3

Don't think cross account s3 event is possible with SAM, may need to go back to CFN.