I have a lambda function (call it Lambda A) that is currently deployed in an AWS account I consider "dev" and "test". I also have this lambda function deployed in my "prod" account. Currently I am using the C# ASP.NET AWS SDK, where I have an api with an endpoint that receives a log group name in a POST request (and some other data) and then makes a PutSubscriptionFilter request to Lambda A. When I am in the Dev and Test version of my web app that is making this request to the PutSubscriptionFilter, everything works great. The issue is, in prod (which is using the exact same config, just in another aws account), I get this error: "Unknown error: Cross-account lambda invocation passing is not allowed. You must use DestinationPolicies to create cross account lambda triggers."

Now, I already went down the rabbit hole, and it seems like this is actually a false error. It doesn't seem like this is possible, trying to put a filter cross-account. This makes sense, but what I don't understand is that I don't think I am doing that. The way (I think) my code is set up, I shouldn't even be trying to make a cross-account subscription, because when I'm in prod, I target the prod lambda using the prod account credentials... here is a snippet of my code. For reference, the Lambda in prod has a different name and added suffix's than the one's in dev and test, hence my extra logic there.

private async Task AddSubscriptionFilter(string logGroupName, string env, CancellationToken cancellationToken) {            

    var environmentName = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") ?? "Production";

            // Set aws account id based on the environment
            string accountNumber = environmentName.Equals("Production", StringComparison.OrdinalIgnoreCase) ? "**PROD-ID***" : "**DEV+TEST-ID***";

            // Determine the function suffix only if in production environment
            string functionSuffix = string.Empty;

            if (environmentName.Equals("Production", StringComparison.OrdinalIgnoreCase))
            {
                // Only add the second env suffix if in production
                functionSuffix = env switch
                {
                    "Prod" => "*****Prod",
                    "Dev" => "*****Dev",
                    "Test" => "*****Test",
                    _ => "*****Prod" 
                };
            }

            // Build the DestinationArn dynamically
            var destinationArn = string.IsNullOrEmpty(functionSuffix)
                ? $"arn:aws:lambda:us-******:{accountNumber}:function:***FunctionName***-{environmentName}"
                : $"arn:aws:lambda:us-******:{accountNumber}:function:***FunctionName***-{environmentName}-{functionSuffix}";

            var putFilterRequest = new PutSubscriptionFilterRequest
            {
                LogGroupName = logGroupName,
                FilterName = $"LambdaFilter-*********",
                FilterPattern = "", // no pattern, return all logs
                DestinationArn = destinationArn,
                Distribution = Distribution.ByLogStream
            };

            await _cloudWatchLogs.PutSubscriptionFilterAsync(putFilterRequest, cancellationToken);
        }

Some data I have excluded for privacy reasons, by using *.

I have not tried a whole lot yet, mostly because I don't know how to resolve the issue, and can't find anyone else who has either, that's why I am making this post.