Previously, it was only possible to trigger Lambda functions from SQS queues in the same account. To send data across different accounts, AWS CLI was the only way possible, which was tedious.
AWS now allows triggering Lambda function using SQS queues from different accounts. With certain Lambda functions’ execution role permissions and SQS granting cross-account access permissions to Lambda, this is easily achievable.
Steps to Configure
Note: Make sure that Lambda function and SQS queue are in the same region, though they can be in different accounts.
1. To get started, Create an SQS Queue in Account A, which will act as an event source for the Lambda function.
While Queue creation,
Set the queue’s Visibility Timeout to at least six times the timeout that you have configured on your Lambda function so that Lambda function’s time can process each message.
2. Under Access Policy, choose the method as Basic.
Basic method consists of two definitions
- a) Send Messages to the Queue
- b) Receive Messages from the Queue.
- For Send Messages definition, choose Only the queue owner.
- For Receive Messages definition, choose Only the specified AWS accounts, IAM users, and roles.
- In the dialog box which appears, Enter Account ID/ ARN/ IAM user of Account B in which the Lambda Function is created.
- After adding the Accounts B details in dialog box, Select Advanced method in order to add policy to Queue, which will grant the cross-account. Under the JSON object Action, add “SQS: GetQueueAttributes.”
- Scroll down and Click Create Queue. Following Queue will be created.
- Create Lambda Function in Account B using the runtime environment of your choice. In code print(event) to view the details of Lambda function triggers.
- The Lambda function will need certain permissions to manage the messages in SQS. Go to Configuration on Lambda console and click on Permissions on the left.
Open the link under the Execution Role and attach the role AWSLambdaSQSQueueExecutionRole. The attached role has 3 main policies
SQS:ReceiveMessage
SQS:DeleteMessage
SQS:GetQueueAttributes - On the Lambda function overview tab, Click +Add trigger. Select SQS from the dropdown, and in SQS queue box, enter the ARN of the queue from Account A, in which the queue was created with cross-account permissions, and click Add.
- Wait until the added Trigger gets enabled. Confirm the enabling by going to Configuration section and selecting Triggers. Under Triggers section, find all the Lambda function triggers which have been added.
Testing: –
- On SQS Queue window in the source account (Account A), click on Send and Receive Messages.
In the message body, enter the message. There is also an option to send messages in the form of attributes. After entering the message, click Send Message. - After clicking Send Messages, the message is sent to the Lambda function in different accounts (Account B). The function gets triggered once it receives the message from SQS Queue. To confirm that Lambda trigger and message received, click on Monitor section, and click on View Logs in CloudWatch.
- In CloudWatch Log streams, you can confirm the message send from the source account (Account A).
