1

I have a lambda in AWS Account 1.

I have an SSM parameter in AWS Account 2.

I want to write code in the lambda like this:

const ssm = new AWS.SSM({apiVersion: "2014-11-06"});

function updateSsmParamInOtherAwsAccount(newSsmValue) {
  const params = {
    Name: "ssm-parameter-name",
    Value: newSsmValue,
    Overwrite: true,
    Type: "String",
  };

  ssm.putParameter(params, function (err) {
    if (err) {
      console.error(
        err,
        err.stack
      );
    } else {
      console.log(
        `Successfully set SSM param`
      );
    }
  });
}

I understand how to use IAM to grant permissions for this.

What I don't understand is how to configure the aws javascript sdk to point to the other AWS account.

As written in the example above, it will update the SSM param in the same AWS account the lambda is running in. There don't seem to be any environment variables or configuration options that allow this.

Anyone know how to connect the dots here?

johncorser
  • 9,262
  • 17
  • 57
  • 102

1 Answers1

3

Since you understand the use of a cross-account IAM role, as you wrote, I guess that all the roles and permissions are correctly setup.

So what you have to do is same for all SDKs, not only JavaScript. Namely, in your lambda function you have to explicitly assume the IAM role from AWS Account 2. In JS, you have to call assumeRole and provide it with the IAM role from the second account.

The assumeRole call will return temporary AWS credentials which you can use to access the second Account. In this SO answer is a good example how you can do this in JS. Other example, specific to lambda (but for python) is here.

Marcin
  • 215,873
  • 14
  • 235
  • 294