Access AWS app config from different AWS account Lambda
Introduction
In this page, we will see how to access the deployed AWS app config from different AWS account lambda.
AWS app config
AWS app config, A capability of AWS Systems Manager, to create, manage, and quickly deploy application configurations. A configuration is a collection of settings that influence the behaviour of your application. You can use AWS AppConfig with applications hosted on Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS Lambda, containers, mobile applications, or IoT devices.
AWS lambda
AWS Lambda is a server-less, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers. You can trigger Lambda from over 200 AWS services and software as a service (SaaS) applications, and only pay for what you use.
This page will give more idea on the instruction given here.
https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-lambda-extensions.html
Steps
Before we being, make sure you have two AWS account. In this demo, we will use this following two accounts.
AWS-acc-1 = 135791113151
AWS-acc-2 = 246810121416
1. Create app config in AWS-acc-1
Create AWS app config with following details. (You can use your own name) but make sure you are changing the rest of place where it is referenced in this same page)
NoKeyValue1application_nameVenkatAppConfig-App2environment_nameVenkatAppConfig-Env3configuration_nameVenkatAppConfig-ConfigProfile4Region
us-east-1
Sample App config JSON
{
"a": 1,
"b": "xy",
"c": false,
"d": [
1,
2,
3,
101
]
}2. Create lambda in AWS-acc-2
In the AWS-acc-2, create a new Lambda name VenkatExternalAwsLambda. In this demo, I am going to use Python Lambda to fetch the app config.
The code for the lambda is:
import urllib.request
def lambda_handler(event, context):
url = f'http://localhost:2772/applications/VenkatAppConfig-App/environments/VenkatAppConfig-Env/configurations/VenkatAppConfig-ConfigProfile'
config = urllib.request.urlopen(url).read()
return config
3. Create a Role in AWS-acc-1 adding AWS-acc-2 to read the app config
Create Policy -> VenkatAppConfigReadPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appconfig:GetLatestConfiguration",
"appconfig:StartConfigurationSession"
],
"Resource": "arn:aws:appconfig:us-east-1:135791113151:application/VenkatAppConfig-App/environment/VenkatAppConfig-Env/configuration/VenkatAppConfig-ConfigProfile"
}
]
}Create Role -> VenkatAppConigExternalAwsRole
In the Trust RelationShip, make sure you mention the ID of the AWS-acc-2.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::246810121416:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}Copy the ARN of the role we created -> arn:aws:iam::135791113151:role/VenkatAppConigExternalAwsRole
4. Add lambda app config extension for AWS-acc-2 lambda with the role ARN of AWS-acc-1
- In the AWS-acc-2 lambda, add new Extension Layer “AWS-AppConfig-Extension”
- Add this env variable AWS_APPCONFIG_EXTENSION_ROLE_ARN
- The value of the env variable is the ARN which we copied in the previous step. arn:aws:iam::135791113151:role/VenkatAppConigExternalAwsRole
Additional Note:
If the AppConfig and Lambda are in different region, we need let the lambda know the Region of the AWS app config.
For that, we can use the env variable AWS_APPCONFIG_EXTENSION_SERVICE_REGION with app config region us-east-1
5. Edit Lambda Execution Policy with AWS-acc-1 role ARN
Now edit the lambda Role policy with this additional statement.
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::135791113151:role/VenkatAppConigExternalAwsRole"
]
}Conclusion
Test the lambda with dummy input, we should able to see the fetched app config in the lambda execution result.
