Cross-account S3 access using Lambda Functions

4 min readNov 4, 2022

In this Blog, we will be accessing the content of S3 in Account A through Lambda Function in Account B

Let’s start with creating an S3 Bucket in Account A.

Go to the S3 Service dashboard

Give a Unique name to your bucket and then create the bucket.
We need to change the bucket policy but that will be done once we create the role in Account B

Now, move to Account B and go to the IAM service to create a role for our Lambda Function.

Click on Create role

Select the Use case as Lambda as we are going to attach this role to our lambda function.

Now click on create policy, to create a custom policy

Enter this policy( Replace the Resource with your bucket arn that we created in Account A ) —

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:GetObject",
              "s3:PutObject",
              "s3:PutObjectAcl"
          ],
          "Resource": "arn:aws:s3:::your-bucket-name/*"
      }
  ]
}

Give a name to the Policy and create Policy.

After creating the policy, select that policy in the Permissions policies of the role.

Give a name to the role and then create the role.

After creating the role successfully, you will see this interface.

Now as we have created the role in Account B, we have to edit our bucket policy in Account A according to the role.

We will give permission to the role of Account B to GET and PUT objects into the bucket.

Go to the created bucket and then go to Permissions

Now click on Edit bucket policy

Enter this Policy(Replace the ARN of the role and the created bucket) —

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::aws1-account-number:role/your-role-name-in-aws1"
          },
          "Action": [
              "s3:GetObject",
              "s3:PutObject",
              "s3:PutObjectAcl"
          ],
          "Resource": "arn:aws:s3:::your-bucket-name/*"
      }
  ]
}

Now Let’s Jump to Account B to set up our Lambda Function which we will use to access our S3 bucket in Account A.

Go to Lambda Service → Click on create function

Give a function name, Choose Runtime as Nodejs, and Attach the role which we created in our previous steps.

Replace the code of the Lambda Function and click on Deploy(Add your bucket name in the code) —

const AWS = require('aws-sdk');
AWS.config.update({
  region: 'us-east-1'
})const s3 = new AWS.S3();exports.handler = async () => {
  const fileContent = 'https://www.linkedin.com/in/tejas-gupta-9b20731a5/';
  const params = {
    Bucket: 'your-bucket-name',
    Key: 'data/lambda.txt',
    ACL: 'bucket-owner-full-control',
    Body: fileContent,
    ContentEncoding: 'utf8'
  }await s3.putObject(params).promise().then(() => {
    console.log('Successfully uploaded file to S3');
  }, (error) => {
    console.error('Error: ', error);
  });
}

Now, All the setup is done and it’s time to test our function.

Click on test → Give a name to the test → Click on Create Event or Test

Now you will see the Lambda function which is in Account B and put the data in the S3 bucket of Account A.

Conclusion

We have successfully implemented the Cross Account S3 Bucket Access with Lambda Function.

Clap👏 if you liked the blog and Follow for more✅!