Previously, it was only possible to trigger Lambda functions from SQS queues in the same account only. To send data across different accounts, AWS CLI was the only way possible which was kind of tedious.
AWS now allows to trigger Lambda function using SQS queues from different accounts. With certain Lambda function’s execution role permissions and SQS grant cross-account access permissions to Lambda this is easily achievable.
Steps to Configure
Note: Make sure that Lambda function and SQS queue are in same region, though they can be in different account.
- To get start with, Create an SQS Queue in Account A which will act as an event source for the Lambda function.
While Queue creation,
Set the queue’s Visibility Timeout to at least six times the timeout that you have configured on your Lambda function so that Lambda function’s time can process each message.
- Under Access Policy, choose method as Basic.
Basic method consists of two definitions
- a) Send Messages to the Queue
- b) Receive Messages from the Queue.
- For Send Messages definition choose Only the queue owner
- For Receive Messages definition choose Only the specified AWS accounts, IAM users and roles.
- In the dialog box which appears, Enter Account ID/ ARN/ IAM user of the Account B in which the Lambda Function is created.
6. After adding the Accounts B details in dialog box, Select Advanced method in order to add policy to Queue which will grant the cross-account
Under the JSON object Action, add “SQS:GetQueueAttributes”
7. Scroll down and Click Create Queue. Following Queue will be created.
8. Create Lambda Function in Account B using the runtime environment of your choice.
In code print(event) to view the details of Lambda function triggers.
9. The Lambda function will need certain permissions to manage the messages in SQS. Go to Configuration on Lambda console and click on Permissions on the left.
Open the link under the Execution Role and attach the role AWSLambdaSQSQueueExecutionRole. The attached role has 3 main policies
10. On the Lambda function overview tab, Click +Add trigger. Select SQS from dropdown and in SQS queue box enter the ARN of queue from Account A which the queue was created with cross-account permissions and lastly click Add.
11. Wait until the added Trigger gets enabled. Confirm the enabling by going to Configuration section and selecting Triggers. Under Triggers section find all the Lambda function triggers which have been added.
- On SQS Queue window in source account (Account A), click on Send and Receive Messages.
In the message body enter the message. There is an option to send the messages in the form of attributes as well. After entering the message click Send Message.
- After clicking Send Messages, the message is sent to the Lambda function which is in different account (Account B). The function gets triggered once it receives the message from SQS Queue. To confirm that Lambda trigger and message received, click on Monitor section, and click on View Logs in CloudWatch.
- In CloudWatch Log streams you can confirm the message send from the source account (Account A).
Written by – Chaitanya Suhas Karadkhedkar