2 Antworten
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
1
To allow an application in AWS Account1 to access a DynamoDB table in Account2 without role-chaining, follow these steps:
- Create an IAM Role in Account1: This role is for your application, with a trust relationship allowing it to assume the role.
Trusted Policy (example):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::Account1-ID:role/Role1" }, "Action": "sts:AssumeRole" } ] }
permission policy (example):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::Account2-ID:role/Role2" } ] }
- Grant Access in Account2:
- Modify the IAM policy attached to the DynamoDB table in Account2.
- Include a statement in the policy that allows the IAM role from Account1 access to the table. Use the role's ARN in the
Principalfield and specify the actions (e.g.,dynamodb:GetItem,PutItem) your application needs.
Trusted policy (example):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::Account1-ID:role/Role1" }, "Action": "sts:AssumeRole" } ] }
Permission policy (example):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::Account2-ID:role/Role2" }, "Action": [ "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Resource": "arn:aws:dynamodb:Region:Account2-ID:table/YourTableName" } ] }
1
Hello,
Below are the links to the official documentation that address your issue, please have a look -
https://docs.aws.amazon.com/glue/latest/dg/aws-glue-programming-etl-dynamo-db-cross-account.html https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/configure-cross-account-access-to-amazon-dynamodb.html
Thanks
beantwortet vor 3 Monaten
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 2 Jahren