Invoke Lambda using SNS from Outside Account
You can if the provider account authorizes the consumer account that owns the lambda to subscribe to the SNS topic. This is can be done in the "Edit topic policy" under the topics page.
Here's a summary of the steps to allow a lambda to listen to an SNS topic from an external account:
- Consumer account creates lambda,
- Consumer account adds event source to lambda in AWS console by specifying the provider's SNS topic ARN (don't worry about error messages here),
- Provider account adds SNS subscription permissions to a consumer IAM account created in the third-party's AWS account (done via "edit topic policy" mentioned above),
- Consumer uses the IAM account from step 2 to add subscription to provider account using AWS CLI.
Example command that worked for me previously for step 4:
aws sns subscribe --topic-arn <provider_sns_arn> --protocol lambda --notification-endpoint <consumer_lambda_arn> --profile consumer-IAM-account
Was having the similar requirement today. In summary there are 3 steps. Let's assume 111111111
is the producer account which has the SNS topic and 2222222222
is the consumer which has the lambda, and
Allowing the Lambda function to subscribe to the topic
aws sns --profile SNS_Owner_Profile add-permission \ --topic-arn "arn:aws:sns:us-east-1:111111111:your-sns-top" \ --label "AllowCrossAccountSns" \ --aws-account-id "2222222222" \ --action-name "Receive" "Subscribe"
allow the topic to invoke the Lambda function,
aws lambda --profile Lambda_Owner_Profile add-permission \ --function-name "your-lambda-function" \ --statement-id "allowCrossAccountSNS" \ --principal "sns.amazonaws.com" \ --action "lambda:InvokeFunction" \ --source-arn "arn:aws:sns:us-east-1:111111111:your-sns-top"
subscribe the lambda function to the topic.
aws sns --profile Lambda_Owner_Profile subscribe \ --topic-arn "arn:aws:sns:us-east-1:111111111:your-sns-top" \ --protocol "lambda" \ --notification-endpoint "arn:aws:lambda:us-east-1:2222222222:function:your-lambda-function"
In AWS Lambda Developer Guide there is a tutorial where AWS CLI commands are used to set up an invocation of a Lambda function from SNS that belongs to another account.
The procedure is quite similar as the procedure in the accepted answer. The subscription doesn't have to be confirmed. It was ready for testing right after aws sns subscribe
command.