Switch profile/account/role in AWS Lambda

Question

I am trying to connect to an AWS AppSync, located in a custom profile/account/role under the root/default account, from an AWS Lambda in the root/default account.

The below python code works fine locally, because I have configured "custom_profile" in my local.aws/config file.

session = boto3.Session(profile_name='custom_profile')
client = session.client('appsync', region_name='<region>')

But is there any way to make this code run in the AWS Lambda in the root account? How can AWS Lambda understand what is "custom_profile"? Where and how can I map "custom_profile" to the respective role ARN?

I saw a probable solution to this problem on this link , but I have not tried it.
Has anyone faced a similar issue and know of an easier solution to this problem than in the link?

Answer 1

The link that you've referenced is the way to go. Permissions that an AWS Lambda function has, are to be defined in a role for that function. This can include permissions to assume a role in another account.

You can then use the Security Token Service (or STS for short) and execute the AssumeRole action. This will provide you with AWS tokens that you can use to authenticate your calls to the other account.

You will also have to configure the account you're executing the lambda function in as a trusted entity in the role you want to assume in the second account.