I have a lambda on one account with this policy attached:
{
"Sid": "Id-123",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::115333656057:root"},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:260143830488:function:CentralInstanceScheduler-InstanceSchedulerMain"
}
When I create a stack from account 115333656057 with my user trying to execute the lambda I got this error:
User: arn:aws:iam::115333656057:user/uguesm is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-central-1:260143830488:function:CentralizedInstanceScheduler-InstanceSchedulerMain
What am I doing wrong?
In Account 260143830488 - Edit your Role to add the policy to InvokeFunction and a trust policy for another account.
Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:260143830488:function:CentralInstanceScheduler-InstanceSchedulerMain"
},
]
}
Trust Relationship Policy:
{
"Sid": "Id-123",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::115333656057:role/<lambda-role>"},
"Action": "sts:AssumeRole",
}
In Account 115333656057 - Create a lambda execution role to AssumeRole
Permissions:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::260143830488:role/<RoleName>"
}
}
Trust Relationship policy:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "lambda.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}