将AWS Lambda代码存储桶指向不同帐户中的存储桶

我需要在不同的AWS帐户中部署相同的lambda。为了避免有两个内容相同的代码桶，我想指出，比方说account B lambda，account A S3代码桶。我在AWS论坛上尝试了几种方法和技巧，但都没有成功。以下是我正在使用的配置，作为Cloudformation模板。

这是lambda的角色：

AWSTemplateFormatVersion: '2010-09-09'
Description: 'lambda role'
Resources:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: LambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: LambdaFullAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "longListOfActions"
- "s3:*"
Resource: 
- '*'
Outputs: 
LambdaRoleARN: 
Value: 
Fn::GetAtt: 
- "LambdaExecutionRole"
- "Arn"

这是Lambda模板：

AWSTemplateFormatVersion: '2010-09-09'
Description: Lambda for subscriptions
Parameters:
LambdaBucket:
Type: String
TheRoleARN:
Type: String
Resources:
MyLambda:
Type: AWS::Lambda::Function
Properties:
Runtime: java11
FunctionName: handler
MemorySize: 3008
Timeout: 180
Role: !Ref 'TheRoleARN'
Handler: com.project.Handler
Code:
S3Bucket: !Ref 'LambdaBucket'
S3Key: handler.jar

最后，这里是账户A的bucket策略：

{
"Version": "2012-10-17",
"Id": "Policy1608150492429",
"Statement": [
{
"Sid": "Stmt1608150488840",
"Effect": "Allow",
"Principal": {
"AWS": "Account-B-Lambda-Role-ARN"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::the-code-bucket/*"
}
]
}

总之，以下是我遵循的步骤：

• 在帐户B上创建lambda角色
• 在帐户a上添加具有帐户B lambda角色的bucket策略
• 尝试在帐户B上创建lambda，导致失败：

Your access has been denied by S3, please make sure your request credentials have permission to GetObject for the-code-bucket/handler.jar. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: abd49370-e172-4fc9-9348-804cc7ff5e23; Proxy: null)

这显然是一个权限问题。欢迎提出任何建议。

谢谢。