Amazon API Gateway
Developer Guide

Build an API Gateway API with Cross-Account Lambda Proxy Integration

You can now use an AWS Lambda function from a different AWS account as your API integration backend. Each account can be in any region where Amazon API Gateway is available. This makes it easy to centrally manage and share Lambda backend functions across multiple APIs.

In this section, we show how to configure cross-account Lambda proxy integration using the Amazon API Gateway console.

First, we create the example API from Build an API Gateway API from an Example in one account. We then create a Lambda function in another account. Finally, we use cross-account Lambda integration to allow the example API to use the Lambda function we created in the second account.

Create API for API Gateway Cross-Account Lambda Integration

First, you'll create the example API as described in Build an API Gateway API from an Example.

To create the example API

  1. Sign in to the API Gateway console.

  2. Choose Create API from the API Gateway APIs home page:

  3. Under Create new API, choose Examples API.

  4. For Endpoint Type, choose Edge optimized.

  5. Choose Import to create the example API.

Create Lambda Integration Function in Another Account

Now you'll create a Lambda function in a different account from the one in which you created the example API.

Creating a Lambda function in another account

  1. Log in to the Lambda console in a different account from the one where you created your API Gateway API.

  2. Choose Create function.

  3. Choose Author from scratch.

  4. Under Author from scratch, do the following:

    1. In the Name input field, type a function name.

    2. From the Runtime drop-down list, choose a supported runtime. In this example, we use Node.js 6.10.

    3. From the Role drop-down list, choose Choose an existing role, Create new role from template(s) or Create a custom role. Then, follow the ensuing instructions for the choice.

    4. Choose Create function to continue.

      For this example, we will skip the Designer section and move to the Function code section next.

  5. Scroll down to the Function code pane.

  6. Copy-paste a function implentation such as one of the API Gateway examples for Node.js and Java.

  7. Choose the correct runtime from the Runtime drop-down menu.

  8. Choose Save.

  9. Note the full ARN for your function (in the upper right corner of the Lambda function pane). You'll need it when you create your cross-account Lambda integration.

Configure Cross-Account Lambda Integration

Once you have a Lambda integration function in a different account, you can use the the API Gateway console to add it to your API in your first account.

Configuring your cross-account Lambda integration

  1. In the API Gateway console, choose your API.

  2. Choose Resources.

  3. In the Resources pane, choose the top-level GET method.

  4. In the Method Execution pane, choose Integration Request.

  5. For Integration type, choose Lambda Function.

  6. Check Use Lambda Proxy integration.

  7. Leave Lambda Region set to your account's region.

  8. For Lambda Function, copy/paste the full ARN for the Lambda function you created in your second account and choose the checkmark.

  9. You'll see a popup that says Add Permission to Lambda Function: You have selected a Lambda function from another account. Please ensure that you have the appropriate Function Policy on this function. You can do this by running the following AWS CLI command from account 123456789012:, followed by an aws lambda add-permission command string.

  10. Copy-paste the aws lambda add-permission command string into an AWS CLI window that is configured for your second account. This will grant your first account access to your second account's Lambda function.

  11. In the popup from the previous step in the Lambda console, choose OK.

  12. To see the updated policy for your function in the Lambda console,

    1. Choose your integration function.

    2. In the Designer pane, choose the key icon.

    In the Function policy pane, you should now see an Allow policy with a Condition clause in which the in the AWS:SourceArn is the ARN for your API's GET method.