Open the Lambda console.
Click Create a function.
Accept the default Author from scratch.
Enter function name as Lambda-Assume-Roles.
Select Python 3.6 runtime.
Expand Permissions, click Use an existing role, then select the Lambda-Assume-Roles role.
Click Create function.
Replace the example function code with the following, replacing the RoleArn with the one from account 2 you created previously.
import json
import boto3
import os
import uuid
def lambda_handler(event, context):
try:
client = boto3.client('sts')
response = client.assume_role(RoleArn='arn:aws:iam::account2:role/LambdaS3ListBuckets',RoleSessionName="{}-s3".format(str(uuid.uuid4())[:5]))
session = boto3.Session(aws_access_key_id=response['Credentials']['AccessKeyId'],aws_secret_access_key=response['Credentials']['SecretAccessKey'],aws_session_token=response['Credentials']['SessionToken'])
s3 = session.client('s3')
s3list = s3.list_buckets()
print (s3list)
return str(s3list['Buckets'])
except Exception as e:
print(e)
raise e
Click Save.
Click Test, accept the default event template, enter event name of test, then click Create.
Click Test again, and in a few seconds the function output should highlight green and you can expand the detail to see the response from the S3 API.
How could the example policies be improved?