By using AWS re:Post, you agree to the Terms of Use

Amazon DynamoDB across account access with VPC endpoints


Endpoints for Amazon DynamoDB is documented here

I don't see any mention of setting up cross account access for Endpoints for Amazon DynamoDB, is it supported? How can our customer achieve it?

1 Answer
Accepted Answer

What you are trying to do is access a DynamoDB table in a different account. DynamoDB does not support Resource Based Policies (c.f. S3, KMS, SQS to name a few) the way you access DynamoDB is always with a principal of the account that provisioned the DynamoDB Table resource. So, by assuming a role in the account with the table you can access it.

Here is the process for cross-account role assume:

1: Create a role with access to the DynamoDB table in the DynamoDB account. I'll throw a rough example of what the IAM setup would look like below, note the variables you need to fill in in the <> blocks:

DynamoDB Role Trust Policy:

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws:iam::<AppAccountID>:root" } } }

DynamoDB Role IAM Policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:List*", "dynamodb:DescribeReservedCapacity*", "dynamodb:DescribeLimits", "dynamodb:DescribeTimeToLive" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dynamodb:BatchGet*", "dynamodb:DescribeStream", "dynamodb:DescribeTable", "dynamodb:Get*", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWrite*", "dynamodb:CreateTable", "dynamodb:Delete*", "dynamodb:Update*", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:*:*:table/<TableName>" } ] }

2: Create a role in the other account that is allowed to assume the DynamoDB role:

IAM Policy for App Role

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<DynamoDBAccountID>:role/<DynamoDBRoleName>" } }

3: Assume the role in your app. Here is an example in Python: ` import boto3

def assumerole(account, rolename): sts_client = boto3.client('sts')

# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name.
assumedRoleObject = sts_client.assume_role(
    RoleArn="arn:aws:iam::" + account + ":role/" + rolename,
    RoleSessionName=account + "-" + rolename.replace('/','')
return assumedRoleObject


4: Run your DynamoDB commands with the assumed role's credentials

As for the networking side, just make sure your VPC in the application account has a DynamoDB endpoint and you should be good to go.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions