Creating a Queue Using Cross-Account Permissions

Length: 00:08:30

Lesson Summary:

SQS does not allow API calls such as CreateQueue using cross-account permissions. A workaround is to create and invoke a Lambda function in another account in order to call that API.

Create AWS CLI Profiles

Development account admin:

aws configure --profile devadmin

Production account admin:

aws configure --profile prodadmin

Create a Lambda Function in the Production Account

Function name: CreateSQSQueue

See lambda_function.py and assign the role lambda_execution_role.json.

Assign Permissions to the Lambda Function

Add permissions to the production Lambda function that allow it to be invoked by the development account user:

aws lambda add-permission \
--function-name CreateSQSQueue \
--statement-id DevAccountAccess \
--action 'lambda:InvokeFunction' \
--principal 'arn:aws:iam::__DEVELOPMENT_ACCOUNT_NUMBER__:user/devadmin' \
--region us-east-2 \
--profile prodadmin

To view the policy:

aws lambda get-policy \
--function-name CreateSQSQueue \
--region us-east-2 \
--profile prodadmin

To remove the policy:

aws lambda remove-permission \
--function-name CreateSQSQueue \
--statement-id DevAccountAccess \
--region us-east-2 \
--profile prodadmin

Invoke the Production Lambda Function from the Development Account

aws lambda invoke \
--function-name '__LAMBDA_FUNCTION_ARN__' \
--payload '{"QueueName": "MyQueue" }' \
--invocation-type RequestResponse \
--profile devadmin \
--region us-east-2 \
output.txt


This lesson is only available to Linux Academy members.

Sign Up To View This Lesson
Or Log In

Looking For Team Training?

Learn More