Amazon S3 在另一个账户中触发另一个 Lambda 函数 [英] Amazon S3 triggering another a Lambda function in another account

问题描述

当任何对象进入账户 A S3 存储桶时，我想在账户 B 中运行 lambda.

I want to run a lambda in Account B when any object comes into Account A S3 bucket.

但我听说我们只能从同一个账户 S3 访问 Lambda，对于跨账户 S3 Lambda 访问，我必须在同一个账户中运行 Lambda 并创建另一个运行另一个账户 Lambda 的触发器:

But I heard that we can access Lambda from the same account S3 only, for cross-account S3 Lambda access I must run Lambda within same account and make another trigger which runs another account Lambda:

1. S3(账户 A)--> Lambda(账户 B)- 不可能
2. S3(账户 A)--> Lambda(账户 A)-->Lambda(账户 B)- 可能

有人可以帮我选择哪个选项吗?如果是这样怎么办?

Can someone help me which option is possible? If so how?

推荐答案

@John 的解决方案有效，但我想将某些步骤添加到他的答案中.

@John's Solution works but there are certain steps I would like to add to his answer.

• S3 存储桶和 Lambda 需要位于同一区域.例如，两者都应在 us-east-1 区域中创建.不同的区域会抛出如下错误:

• The S3 bucket and the Lambda need to be in the same region. For example, both should be created in us-east-1 region. Different regions would throw an error as below:

通知目标服务区域对存储桶位置约束无效

The notification destination service region is not valid for the bucket location constraint

以下是我创建触发器的步骤:

Below is the Steps I followed to create the trigger:

Account-A.S3-bucket -> Account-B.Lambda-function

1. 从终端，切换到 Lambda 所在的账户 B 的 AWS 配置文件

2. 运行以下命令，为您的案例更改参数:

1. From Terminal, switch to Account-B's AWS profile where the Lambda would reside

2. Run the below command, change the parameters for your case:

aws lambda 添加权限 --region {Account-B.Lambda 区域 例如.us-east-1} --function-name {Account-B.Lambda 名称} --statement-id 1 --principal s3.amazonaws.com --action lambda:InvokeFunction --source-arn arn:aws:s3:::{Account-A.S3 名称} --source-account {Account-A.account-id} --profile {Account-B.profile-name}

在这种情况下，您可能会收到 statement-id 存在错误，增加 statement-id 并重新运行命令.

You might get statement-id exists error, increment statement-id and re-run command again in this case.

1. 转到Account-A 的S3 存储桶和属性 的标签下> 事件
2. 选择添加通知

3. 添加以下字段:

1. Go to Account-A's S3 bucket and under Properties's tab > under Events
2. Select Add Notification

3. Add the following fields:

名称:ObjectCreation事件:ObjectCreate(全部)发送至:Lambda 函数Lambda:添加 Lambda 函数 ARNLambda 函数 ARN:your-lambda-arn

注意:Lambda 函数可能仍会显示错误，但 S3 存储桶中添加的新对象会触发 lambda 和打印(事件)日志出现在 Cloudwatch 日志中.

Note: The Lambda function might still show an error but new objects added in the S3 bucket trigger the lambda and print(event) logs appear in Cloudwatch logs.

这篇关于Amazon S3 在另一个账户中触发另一个 Lambda 函数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！