diff --git a/terraform/041-id-broker-search-lambda/assume-role-policy.json b/terraform/041-id-broker-search-lambda/assume-role-policy.json
new file mode 100644
index 00000000..3fd04221
--- /dev/null
+++ b/terraform/041-id-broker-search-lambda/assume-role-policy.json
@@ -0,0 +1,13 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "lambda.amazonaws.com",
+        "AWS": "${remote_role_arn}"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/terraform/041-id-broker-search-lambda/execute-policy.json b/terraform/041-id-broker-search-lambda/execute-policy.json
new file mode 100644
index 00000000..fbe33963
--- /dev/null
+++ b/terraform/041-id-broker-search-lambda/execute-policy.json
@@ -0,0 +1,13 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "lambda:InvokeFunction",
+        "lambda:InvokeAsync"
+      ],
+      "Resource": "${function_arn}",
+      "Effect": "Allow"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/terraform/041-id-broker-search-lambda/main.tf b/terraform/041-id-broker-search-lambda/main.tf
index 6032a44f..486f6398 100644
--- a/terraform/041-id-broker-search-lambda/main.tf
+++ b/terraform/041-id-broker-search-lambda/main.tf
@@ -2,6 +2,31 @@ data "http" "function-checksum" {
   url = "https://${var.function_bucket_name}.s3.amazonaws.com/${var.function_zip_name}.sum"
 }
 
+resource "aws_iam_role" "functionRole" {
+  name               = "${var.idp_name}-${var.app_name}-${var.app_env}-lambda-function-role"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
+  role       = "${aws_iam_role.functionRole.name}"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+
 resource "aws_lambda_function" "search" {
   s3_bucket        = "${var.function_bucket_name}"
   s3_key           = "${var.function_zip_name}"
@@ -9,7 +34,7 @@ resource "aws_lambda_function" "search" {
   function_name    = "${var.function_name}-${var.idp_name}"
   handler          = "${var.function_name}"
   memory_size      = "${var.memory_size}"
-  role             = "${var.role_arn}"
+  role             = "${aws_iam_role.functionRole.arn}"
   runtime          = "go1.x"
   timeout          = "${var.timeout}"
 
@@ -32,3 +57,28 @@ resource "aws_lambda_function" "search" {
     app_env  = "${var.app_env}"
   }
 }
+
+data "template_file" "assumeRolePolicy" {
+  template = "${file("${path.module}/assume-role-policy.json")}"
+  vars {
+    remote_role_arn = "${var.remote_role_arn}"
+  }
+}
+
+resource "aws_iam_role" "assumeRole" {
+  name               = "${var.idp_name}-${var.app_name}-${var.app_env}-lambda-remote-execute"
+  assume_role_policy = "${data.template_file.assumeRolePolicy.rendered}"
+}
+
+data "template_file" "executePolicy" {
+  template = "${file("${path.module}/execute-policy.json")}"
+  vars {
+    function_arn = "${aws_lambda_function.search.arn}"
+  }
+}
+
+resource "aws_iam_role_policy" "executePolicy" {
+  name   = "invoke-function"
+  role   = "${aws_iam_role.assumeRole.name}"
+  policy = "${data.template_file.executePolicy.rendered}"
+}
\ No newline at end of file
diff --git a/terraform/041-id-broker-search-lambda/outputs.tf b/terraform/041-id-broker-search-lambda/outputs.tf
index 40abd841..02ebd3fa 100644
--- a/terraform/041-id-broker-search-lambda/outputs.tf
+++ b/terraform/041-id-broker-search-lambda/outputs.tf
@@ -1,3 +1,7 @@
 output "function_arn" {
   value = "${aws_lambda_function.search.arn}"
 }
+
+output "role_arn_for_remote_execution" {
+  value = "${aws_iam_role.assumeRole.arn}"
+}
\ No newline at end of file
diff --git a/terraform/041-id-broker-search-lambda/vars.tf b/terraform/041-id-broker-search-lambda/vars.tf
index c60d1ffb..31064028 100644
--- a/terraform/041-id-broker-search-lambda/vars.tf
+++ b/terraform/041-id-broker-search-lambda/vars.tf
@@ -34,8 +34,8 @@ variable "memory_size" {
   default = "128"
 }
 
-variable "role_arn" {
-  type = "string"
+variable "remote_role_arn" {
+  description = "ARN to role from different AWS account to be given permission to invoke function"
 }
 
 variable "security_group_ids" {