Granting Lambda function access to other accounts - AWS Lambda

Granting Lambda function access to other accounts

To share a function with another AWS account, add a cross-account permissions statement to the function's resource-based policy. Run the add-permission command and specify the account ID as the principal. The following example grants account 111122223333 permission to invoke my-function with the prod alias.

aws lambda add-permission \ --function-name my-function:prod \ --statement-id xaccount \ --action lambda:InvokeFunction \ --principal 111122223333 \ --output text

You should see the following output:

{"Sid":"xaccount","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111122223333:root"},"Action":"lambda:InvokeFunction","Resource":"arn:aws:lambda:us-east-1:123456789012:function:my-function"}

The resource-based policy grants permission for the other account to access the function, but doesn't allow users in that account to exceed their permissions. Users in the other account must have the corresponding user permissions to use the Lambda API.

To limit access to a user or role in another account, specify the full ARN of the identity as the principal. For example, arn:aws:iam::123456789012:user/developer.

The alias limits which version the other account can invoke. It requires the other account to include the alias in the function ARN.

aws lambda invoke \ --function-name arn:aws:lambda:us-east-2:123456789012:function:my-function:prod out

You should see the following output:

{
    "StatusCode": 200,
    "ExecutedVersion": "1"
}

The function owner can then update the alias to point to a new version without the caller needing to change the way they invoke your function. This ensures that the other account doesn't need to change its code to use the new version, and it only has permission to invoke the version of the function associated with the alias.

You can grant cross-account access for most API actions that operate on an existing function. For example, you could grant access to lambda:ListAliases to let an account get a list of aliases, or lambda:GetFunction to let them download your function code. Add each permission separately, or use lambda:* to grant access to all actions for the specified function.

To grant other accounts permission for multiple functions, or for actions that don't operate on a function, we recommend that you use IAM roles.