A Guide to Configure AWS Lambda Function to Assume an AWS IAM Role in another AWS Account

Introduction

Amazon Web Services (AWS) provides robust Identity and Access Management (IAM) capabilities to control access to your resources. One powerful feature within AWS IAM is assuming roles, which allows you to grant temporary permissions to resources in one AWS account from another. In this blog, we will delve into how to configure an AWS Lambda function to assume an AWS IAM role in another AWS account, enhancing your cross-account access management.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

AWS IAM Roles in AWS

AWS IAM roles are AWS identities that you can create and manage to define a set of permissions. Roles are not associated with a specific user or group but are assumed by trusted entities such as AWS services or AWS Lambda functions. Roles grant permissions based on policies attached to them, which can be customized according to your needs.

Why Assume Roles in AWS?

Assuming roles is a fundamental aspect of AWS security and access control. It enables scenarios like cross-account access, allowing one AWS account to access resources in another securely. Here are some reasons why you might want to use role assumption:

Cross-account access: Delegate access from one AWS account to another, enabling controlled sharing of resources and data.
Enhanced security: Avoid sharing long-term credentials like access keys, reducing the risk of unauthorized access or accidental exposure.
Least privilege: Implement the principle of least privilege by granting only the necessary permissions for a specific task.

Step-by-Step Guide to Configure an AWS Lambda Function to Assume an AWS IAM Role

In this scenario, we will demonstrate how to configure an AWS Lambda function in one AWS account to assume an AWS IAM role in another AWS account. This enables the AWS Lambda function to perform actions in the remote account without sharing sensitive credentials.

Prerequisites:

Before you proceed, ensure you have the following prerequisites in place:

Two AWS accounts: One where the AWS Lambda function resides (Account A) and another where the AWS IAM role to be assumed resides (Account B).
AWS Lambda function: You should have an AWS Lambda function in Account A that needs to access resources in Account B.
AWS IAM Role: Create an AWS IAM role in Account B with the necessary permissions and trust relationships to allow Account A to assume it.

Follow these steps to configure your AWS Lambda function to assume an AWS IAM role in another AWS account:

Create the AWS IAM Role in Account B:

Sign in to Account B.
Navigate to the AWS IAM console.
Choose the AWS IAM role you created for this scenario.
In the “Trust relationships” tab of the role details page, you will see a JSON policy document that defines the trust relationship. You must edit this policy document to allow Account A to assume the role.
Update the trust policy to include an entry for Account A’s AWS account ID. Here’s an example of what the trust policy might look like:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::Account_A_ID:root"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::Account_A_ID:root"

"Action": "sts:AssumeRole"

}

]

}

Replace “Account_A_ID” with the AWS account ID of Account A.

Save the trust policy.

This configuration allows Account A to assume the AWS IAM role in Account B. It specifies that the AWS account with the provided account ID (Account A) can assume the role.

2. Obtain the Role ARN:

Note the Amazon Resource Name (ARN) of the AWS IAM role created in Step 1.

3. Edit Lambda Function in Account A:

Sign into Account A.
Open the AWS Lambda console.
Select the AWS Lambda function to configure to assume the IAM role in Account B.
In the AWS Lambda function configuration page, navigate to the “Function code” section, specifically the code executing AWS SDK or AWS CLI commands.

4. Configure AWS SDK or AWS CLI:

In your AWS Lambda function code, you must use the AWS SDK (Software Development Kit) for your chosen programming language or the AWS CLI (Command Line Interface) to assume the AWS IAM role in Account B.
Import the AWS SDK or use AWS CLI commands within your AWS Lambda function code to initiate the role assumption process. You will specify the ARN of the AWS IAM role in Account B as the role to be assumed.
For example, in Python, using the Boto3 AWS SDK, you might do something like this:

import boto3

def lambda_handler(event, context):
    # Create an STS client to assume the role in Account B
    sts_client = boto3.client('sts')
    role_arn = 'arn:aws:iam::Account_B_ID:role/RoleNameInAccountB'

    # Assume the role in Account B
    assumed_role = sts_client.assume_role(
        RoleArn=role_arn,
        RoleSessionName='AssumeRoleSession'
    )

    # Now, you can use the credentials from assumed_role to make AWS API calls on Account B's resources
    account_b_credentials = assumed_role['Credentials']
    s3_client = boto3.client('s3', aws_access_key_id=account_b_credentials['AccessKeyId'],
                            aws_secret_access_key=account_b_credentials['SecretAccessKey'],
                            aws_session_token=account_b_credentials['SessionToken'])

    # Use the s3_client to perform operations on resources in Account B
    # ...

import boto3

def lambda_handler(event, context):

# Create an STS client to assume the role in Account B

sts_client = boto3.client('sts')

role_arn = 'arn:aws:iam::Account_B_ID:role/RoleNameInAccountB'

# Assume the role in Account B

assumed_role = sts_client.assume_role(

RoleArn=role_arn,

RoleSessionName='AssumeRoleSession'

)

# Now, you can use the credentials from assumed_role to make AWS API calls on Account B's resources

account_b_credentials = assumed_role['Credentials']

s3_client = boto3.client('s3', aws_access_key_id=account_b_credentials['AccessKeyId'],

aws_secret_access_key=account_b_credentials['SecretAccessKey'],

aws_session_token=account_b_credentials['SessionToken'])

# Use the s3_client to perform operations on resources in Account B

# ...

Ensure you replace ‘arn:aws:iam::Account_B_ID:role/RoleNameInAccountB’ with the ARN of the AWS IAM role you want to assume in Account B.

5. Test the Configuration:

Execute your Lambda function in Account A.
Verify that it can successfully assume the AWS IAM role in Account B and access the desired resources.

Conclusion

Configuring an AWS Lambda function to assume an AWS IAM role in another AWS account is a powerful way to enhance security, manage cross-account access, and follow the principle of least privilege. By implementing this approach, you can ensure that your AWS resources are accessed securely and efficiently without exposing sensitive credentials. AWS IAM roles remain crucial to AWS security, enabling robust access control across your cloud infrastructure.

Drop a query if you have any questions regarding AWS IAM and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

FAQs

1. Why should I use AWS IAM roles in AWS?

ANS: – AWS IAM roles provide a secure way to delegate access to AWS resources without sharing long-term credentials like access keys. They are useful for scenarios like cross-account access, where one AWS account needs to access resources in another account securely.

2. What happens if an entity attempts to assume a role without the necessary permissions?

ANS: – AWS will deny the request to assume the role if the entity lacks the required permissions or the trust relationship is misconfigured. Properly configured policies and trust relationships are crucial to role assumption working correctly.