Tutorial: Build an API Gateway REST API with cross-account Lambda proxy integration - Amazon API Gateway
Create API for cross-account Lambda integrationCreate Lambda integration function in another accountConfigure cross-account Lambda integration
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tutorial: Build an API Gateway REST API with cross-account Lambda proxy integration

You can now use an Amazon Lambda function from a different Amazon account as your API integration backend. Each account can be in any region where Amazon API Gateway is available. This makes it easy to centrally manage and share Lambda backend functions across multiple APIs.

In this section, we show how to configure cross-account Lambda proxy integration using the Amazon API Gateway console.

Create API for API Gateway cross-account Lambda integration

To create an API

  1. Sign in to the API Gateway console at https://console.amazonaws.cn/apigateway.

  2. If this is your first time using API Gateway, you see a page that introduces you to the features of the service. Under REST API, choose Build. When the Create Example API popup appears, choose OK.

    If this is not your first time using API Gateway, choose Create API. Under REST API, choose Build.

  3. For API name, enter CrossAccountLambdaAPI.

  4. (Optional) For Description, enter a description.

  5. Keep API endpoint type set to Regional.

  6. Choose Create API.

Create Lambda integration function in another account

Now you'll create a Lambda function in a different account from the one in which you created the example API.

Creating a Lambda function in another account

  1. Log in to the Lambda console in a different account from the one where you created your API Gateway API.

  2. Choose Create function.

  3. Choose Author from scratch.

  4. Under Author from scratch, do the following:

    1. For Function name, enter a name.

    2. From the Runtime drop-down list, choose a supported Node.js runtime.

    3. Under Permissions, expand Choose or create an execution role. You can create a role or choose an existing role.

    4. Choose Create function to continue.

  5. Scroll down to the Function code pane.

  6. Enter the Node.js function implementation from Tutorial: Build a Hello World REST API with Lambda proxy integration.

  7. Choose Deploy.

  8. Note the full ARN for your function (in the upper right corner of the Lambda function pane). You'll need it when you create your cross-account Lambda integration.

Configure cross-account Lambda integration

Once you have a Lambda integration function in a different account, you can use the API Gateway console to add it to your API in your first account.

Note

If you are configuring a cross-region, cross-account authorizer, the sourceArn that is added to the target function should use the region of the function, not the region of the API.

After you create an API, you create a resource. Typically, API resources are organized in a resource tree according to the application logic. For this example, you create a /helloworld resource.

To create a resource

  1. Select the / resource, and then choose Create resource.

  2. Keep Proxy resource turned off.

  3. Keep Resource path as /.

  4. For Resource name, enter helloworld.

  5. Keep CORS (Cross Origin Resource Sharing) turned off.

  6. Choose Create resource.

After you create an resource, you create a GET method. You integrate the GET method with a Lambda function in another account.

To create a GET method

  1. Select the /helloworld resource, and then choose Create method.

  2. For Method type, select GET.

  3. For Integration type, select Lambda function.

  4. Turn on Lambda proxy integration.

  5. For Lambda function, enter the full ARN of your Lambda function from Step 1.

    In the Lambda console, you can find the ARN for your function in the upper right corner of the console window.

  6. When you enter the ARN, a aws lambda add-permission command string will appear. This policy grants your first account access to your second account's Lambda function. Copy and paste the aws lambda add-permission command string into an Amazon CLI window that is configured for your second account.

  7. Choose Create method.

You can see your updated policy for your function in the Lambda console.

(Optional) To see your updated policy

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Lambda console at https://console.amazonaws.cn/lambda/.

  2. Choose your Lambda function.

  3. Choose Permissions.

    You should see an Allow policy with a Condition clause in which the in the AWS:SourceArn is the ARN for your API's GET method.