Tutorial: Create a REST API with a cross-account Lambda proxy integration
You can now use an AWS Lambda function from a different AWS account as your API integration backend. Each account can be in any region where Amazon API Gateway is available. This makes it easy to centrally manage and share Lambda backend functions across multiple APIs.
In this section, we show how to configure cross-account Lambda proxy integration using the Amazon API Gateway console.
Create API for API Gateway cross-account Lambda integration
To create an API
-
Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway
. -
If this is your first time using API Gateway, you see a page that introduces you to the features of the service. Under REST API, choose Build. When the Create Example API popup appears, choose OK.
If this is not your first time using API Gateway, choose Create API. Under REST API, choose Build.
For API name, enter
CrossAccountLambdaAPI
.(Optional) For Description, enter a description.
Keep API endpoint type set to Regional.
Choose Create API.
Create Lambda integration function in another account
Now you'll create a Lambda function in a different account from the one in which you created the example API.
Creating a Lambda function in another account
-
Log in to the Lambda console in a different account from the one where you created your API Gateway API.
-
Choose Create function.
-
Choose Author from scratch.
-
Under Author from scratch, do the following:
-
For Function name, enter a name.
-
From the Runtime drop-down list, choose a supported Node.js runtime.
For Architecture, keep the default setting.
-
Under Permissions, expand Choose or create an execution role. You can create a role or choose an existing role.
-
Choose Create function to continue.
-
-
Scroll down to the Function code pane.
-
Enter the Node.js function implementation from Tutorial: Create a REST API with a Lambda proxy integration.
-
Choose Deploy.
-
Note the full ARN for your function (in the upper right corner of the Lambda function pane). You'll need it when you create your cross-account Lambda integration.
Configure cross-account Lambda integration
Once you have a Lambda integration function in a different account, you can use the API Gateway console to add it to your API in your first account.
Note
If you are configuring a cross-region, cross-account authorizer, the
sourceArn
that is added to the target function
should use the region of the function, not the region of the API.
After you create an API, you create a resource. Typically, API resources are organized in a resource tree according to the application logic. For this example, you create a /helloworld resource.
To create a resource
Choose Create resource.
Keep Proxy resource turned off.
Keep Resource path as
/
.For Resource name, enter
helloworld
.Keep CORS (Cross Origin Resource Sharing) turned off.
Choose Create resource.
After you create an resource, you create a GET
method. You integrate the GET
method with a
Lambda function in another account.
To create a GET
method
Select the /helloworld resource, and then choose Create method.
For Method type, select GET.
For Integration type, select Lambda function.
Turn on Lambda proxy integration.
For Lambda function, enter the full ARN of your Lambda function from Step 1.
In the Lambda console, you can find the ARN for your function in the upper right corner of the console window.
-
When you enter the ARN, a
aws lambda add-permission
command string will appear. This policy grants your first account access to your second account's Lambda function. Copy and paste theaws lambda add-permission
command string into an AWS CLI window that is configured for your second account. Choose Create method.
You can see your updated policy for your function in the Lambda console.
(Optional) To see your updated policy
-
Sign in to the AWS Management Console and open the AWS Lambda console at https://console.aws.amazon.com/lambda/
. -
Choose your Lambda function.
-
Choose Permissions.
You should see an
Allow
policy with aCondition
clause in which the in theAWS:SourceArn
is the ARN for your API'sGET
method.