How do you allow an external role to access your AWS resource directly?



Here's the setup:

We both manage two AWS accounts (Account1 and Account2). In the Account1, we have an application that will assume a role to access a DynamoDB table in the Account2. How do we grant permission to the (external) role directly to the DynamoDB table? We understand that role-chaining is the suggested approach, but it is not a possibility for us right now for some reason.

2 Answers

To allow an application in AWS Account1 to access a DynamoDB table in Account2 without role-chaining, follow these steps:

  1. Create an IAM Role in Account1: This role is for your application, with a trust relationship allowing it to assume the role.

Trusted Policy (example):

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Account1-ID:role/Role1"
      "Action": "sts:AssumeRole"

permission policy (example):

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::Account2-ID:role/Role2"
  1. Grant Access in Account2:
    • Modify the IAM policy attached to the DynamoDB table in Account2.
    • Include a statement in the policy that allows the IAM role from Account1 access to the table. Use the role's ARN in the Principal field and specify the actions (e.g., dynamodb:GetItem, PutItem) your application needs.

Trusted policy (example):

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Account1-ID:role/Role1"
      "Action": "sts:AssumeRole"

Permission policy (example):

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Account2-ID:role/Role2"
            "Action": [
            "Resource": "arn:aws:dynamodb:Region:Account2-ID:table/YourTableName"
profile picture
answered 3 months ago
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions