-
Add the ESF Lambda role ARN to the allowlist
- In account 150992150901, run:
aws lambda list-functions \ --region us-west-2 \ --query 'Functions[?starts_with(FunctionName, `elastic-serverless-forwar-ApplicationElasticServer`)].Role' \ --output text - Copy the role ARN (e.g.,
arn:aws:iam::150992150901:role/elastic-serverless-forwar-ApplicationElasticServer-XYZ).
- In account 150992150901, run:
-
Update the trust policy in account 801458782278
- Trust the entire dev account but limit it to the Lambda roles and the EC2 role using
ArnLike, and note the Lambda role needs Kinesis permissions:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::150992150901:root" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::150992150901:role/elastic-serverless-forwar-*", "arn:aws:iam::150992150901:role/pge-elasticsearch-role" ] } } } ] } - Apply it with:
aws iam update-assume-role-policy \ --role-name KinesisAccessfordevElastic \ --policy-document file://trust-policy.json
- Trust the entire dev account but limit it to the Lambda roles and the EC2 role using
-
Grant the Lambda role Kinesis read permissions on each stream (either via stream resource policy or IAM):
kinesis:GetRecordskinesis:GetShardIteratorkinesis:DescribeStreamkinesis:DescribeStreamSummarykinesis:ListShardskinesis:ListStreamskinesis:SubscribeToShard(if enhanced fan-out)
This change lets the SAR-created Lambda execution role (random suffix) and pge-elasticsearch-role assume the cross-account Kinesis role without manual updates every deploy, and gives the direct event source mapping the Kinesis permissions it needs.