Accessing CloudFormation Macros from other AWS Accounts

In this post you’ll learn (hopefully!) how to allow other AWS accounts to access CloudFormation macros in your account. AWS announced CloudFormation macros last year. Macros allow you to use a Lambda function to process CloudFormation templates.

I won’t be going over how macros work in detail in this post, but you can learn more about them here. I also assume you have installed the AWS CLI tools.

Let’s begin.

Introduction

There are two steps to allow another account to access your macros:

  1. Grant permission to the other account to invoke the Lambda function that processes the CloudFormation template.
  2. Define the macro in the account that wants to use it.

In this scenario, we have our two protagonists Alice and Bob. (They usually work in cryptography but are currently on secondment in operations.)

Below are their respective account ids:

Account NameAccount Id
Bob123456789
Alice987654321

Grant Permission

Bob has written a macro that automatically sets up IPv6 for a VPC that Alice wants to use from her account.

Before Alice can start using Bob’s macro in her CloudFormation templates, Bob needs to give Alice permission to invoke the underlying Lambda function. Bob opens up a terminal and runs the following command, specifying Alice’s account id as the principal:

$ aws lambda add-permission --function-name EnableIPv6 --statement-id 987654321 --principal 987654321 --action lambda:InvokeFunction

This command adds the ‘lambda:InvokeFunction’ permission to the function policy of the Lambda function, which allows Alice to call it. (Note: you can’t modify the resource policy from the management console. You can only do so using either the CLI tools or an SDK.)

You can also grant permission to another account directly in your CloudFormation template. For example, to allow Alice to invoke his Lambda function Bob would add the following to his template:

AlicePermission:     Type: AWS::Lambda::Permission     Properties:       Action: 'lambda:InvokeFunction'       FunctionName: !GetAtt TransformFunction.Arn       Principal: '987654321'

Create the Macro

Before she can use Bob’s macro, Alice must define a macro in her account, referencing the ARN of the Lambda function in Bob’s account like so:

Resources:   Transform:     Type: AWS::CloudFormation::Macro     Properties:       Name: EnableIPv6       Description: 'Enable IPv6 in a VPC'       FunctionName: 'arn:aws:lambda:eu-west-2:123456789:function:EnableIPv6'

Alice then navigates to the CloudFormation section in the management console and creates a stack using the template above. Once the stack has been created, Alice will then be able to use the macro in her own templates.

And that’s it! The end.

Need some help with AWS? I’m a certified AWS engineer and Linux Foundation system administrator. Get in touch for a quote.

Leave a Reply