In this post you’ll learn (hopefully!) how to allow other AWS accounts to access CloudFormation macros in your account. AWS announced CloudFormation macros last year. Macros allow you to use a Lambda function to process CloudFormation templates.
I won’t be going over how macros work in detail in this post, but you can learn more about them here. I also assume you have installed the AWS CLI tools.
There are two steps to allow another account to access your macros:
- Grant permission to the other account to invoke the Lambda function that processes the CloudFormation template.
- Define the macro in the account that wants to use it.
In this scenario, we have our two protagonists Alice and Bob. (They usually work in cryptography but are currently on secondment in operations.)
Below are their respective account ids:
|Account Name||Account Id|
Bob has written a macro that automatically sets up IPv6 for a VPC that Alice wants to use from her account.
Before Alice can start using Bob’s macro in her CloudFormation templates, Bob needs to give Alice permission to invoke the underlying Lambda function. Bob opens up a terminal and runs the following command, specifying Alice’s account id as the principal:
$ aws lambda add-permission --function-name EnableIPv6 --statement-id 987654321 --principal 987654321 --action lambda:InvokeFunction
This command adds the ‘lambda:InvokeFunction’ permission to the function policy of the Lambda function, which allows Alice to call it. (Note: you can’t modify the resource policy from the management console. You can only do so using either the CLI tools or an SDK.)
You can also grant permission to another account directly in your CloudFormation template. For example, to allow Alice to invoke his Lambda function Bob would add the following to his template:
AlicePermission: Type: AWS::Lambda::Permission Properties: Action: 'lambda:InvokeFunction' FunctionName: !GetAtt TransformFunction.Arn Principal: '987654321'
Create the Macro
Before she can use Bob’s macro, Alice must define a macro in her account, referencing the ARN of the Lambda function in Bob’s account like so:
Resources: Transform: Type: AWS::CloudFormation::Macro Properties: Name: EnableIPv6 Description: 'Enable IPv6 in a VPC' FunctionName: 'arn:aws:lambda:eu-west-2:123456789:function:EnableIPv6'
Alice then navigates to the CloudFormation section in the management console and creates a stack using the template above. Once the stack has been created, Alice will then be able to use the macro in her own templates.
And that’s it! The end.
Need some help with AWS? I’m a certified AWS engineer and Linux Foundation system administrator. Get in touch for a quote.