Call multiple Account/Region APIs

Overview

UseCase: A Lambda function in Account 1 wants to call lambda:ListFunctions in multiple Accounts 2,3….

Cross Account

Now I need to install the Policy B in each Sub-Account.

The policy A in the main Account have to have entries for each account. Thats easy with the CDK.

Create a Role by iterating through sub accounts

See the file infra/collector.go in the source:

	members := strings.Split(accounts, ",")

	// Range accounts
	for i, member := range members {
		sid := fmt.Sprintf("AllowCrossAccountGroupList%d",i)
		arn := fmt.Sprintf("arn:aws:iam::%v:role/CrossAccountListFunctionsRole",member)
		allow := awsiam.NewPolicyStatement(&awsiam.PolicyStatementProps{
			Sid: &sid   ,
			Effect: awsiam.Effect_ALLOW,
			Resources: &[]*string{
				&arn,
			},
			Actions: &[]*string{
				aws.String("sts:AssumeRole"),
			},
		})
		lambdaRole.AddToPolicy(allow)
	}

The first parts of the ARN are:

arn:aws:${servicename}:${region}:${account}:

For IAM you do not need a region. The for loop loops through all account and adds them to the Policy Statement.

Calling all Accounts and Regions

Now the app loops through the configuration as shown in the previous chapter. In each Account you iterate through the Regions and give the Region as a parameter for the Lambda call:

	result, err := client.ListFunctions(context.TODO(), params, func(options *lambda.Options) {
		options.Region = region
	})

So much for theory. Now you may create a working example in the walkthrough next chapter.

See also

Source

See the full source on github.

Sources