アカウントA(123456789012)の Lambda からアカウントB(234567890123)の CloudWatch Logs の API を実行してみた。
実行結果
- 戻り値
{ "events": [ { "timestamp": 1543366128635, "message": "[940dea18-b6de-4851-a4b1-34cd0ed38541] BENCHMARK : Running Start Crawl for Crawler workshop-sh10json", "ingestionTime": 1543366139237 }, { "timestamp": 1543366169930, "message": "[940dea18-b6de-4851-a4b1-34cd0ed38541] BENCHMARK : Classification complete, writing results to database default", "ingestionTime": 1543366196029 },
- ログ出力
START RequestId: 07ea4b0c-3a29-4649-b21d-40ce9412a70c Version: $LATEST END RequestId: 07ea4b0c-3a29-4649-b21d-40ce9412a70c REPORT RequestId: 07ea4b0c-3a29-4649-b21d-40ce9412a70c Duration: 1998.25 ms Billed Duration: 2000 ms Memory Size: 128 MB Max Memory Used: 78 MB Init Duration: 257.63 ms
アカウントA
arn:aws:iam::123456789012:role/LambdaRoleForCrossAccount
- Permissions policies
- AWSLambdaExecute(AWS managed)
- AssumeRolePolicy(Customer managed)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Assume Role Policy", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] }
arn:aws:lambda:ap-northeast-1:123456789012:function:CWLFunction
- Runtime: Pyhon 3.7
- Execution role: LambdaRoleForCrossAccount
import boto3 def lambda_handler(context, event): sts_connection = boto3.client('sts') acct_b = sts_connection.assume_role( RoleArn="arn:aws:iam::234567890123:role/CWLRoleForCrossAccount", RoleSessionName="cross_acct_lambda" ) ACCESS_KEY = acct_b['Credentials']['AccessKeyId'] SECRET_KEY = acct_b['Credentials']['SecretAccessKey'] SESSION_TOKEN = acct_b['Credentials']['SessionToken'] client = boto3.client( 'logs', aws_access_key_id=ACCESS_KEY, aws_secret_access_key=SECRET_KEY, aws_session_token=SESSION_TOKEN, ) response = client.get_log_events( logGroupName='/aws-glue/crawlers', logStreamName='workshop-sh10json' ) return response
アカウントB
arn:aws:iam::234567890123:role/CWLRoleForCrossAccount
- Permissions policies
- CloudWatchLogsReadOnlyAccess(AWS managed)
- Trust relationships
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/LambdaRoleForCrossAccount" }, "Action": "sts:AssumeRole", "Condition": {} } ] }