By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Amazon DynamoDB across account access with VPC endpoints

0

Endpoints for Amazon DynamoDB is documented here https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-ddb.html

I don't see any mention of setting up cross account access for Endpoints for Amazon DynamoDB, is it supported? How can our customer achieve it?

Topics
Networking & Content DeliveryDatabase
Tags
Amazon VPCAmazon DynamoDB
Language
English
AWS
AWS-User-4166879
asked 4 years ago4417 views
1 Answer
0
Accepted Answer

What you are trying to do is access a DynamoDB table in a different account. DynamoDB does not support Resource Based Policies (c.f. S3, KMS, SQS to name a few) the way you access DynamoDB is always with a principal of the account that provisioned the DynamoDB Table resource. So, by assuming a role in the account with the table you can access it.

Here is the process for cross-account role assume:

1: Create a role with access to the DynamoDB table in the DynamoDB account. I'll throw a rough example of what the IAM setup would look like below, note the variables you need to fill in in the <> blocks:

DynamoDB Role Trust Policy:

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws:iam::<AppAccountID>:root" } } }

DynamoDB Role IAM Policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:List*", "dynamodb:DescribeReservedCapacity*", "dynamodb:DescribeLimits", "dynamodb:DescribeTimeToLive" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dynamodb:BatchGet*", "dynamodb:DescribeStream", "dynamodb:DescribeTable", "dynamodb:Get*", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWrite*", "dynamodb:CreateTable", "dynamodb:Delete*", "dynamodb:Update*", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:*:*:table/<TableName>" } ] }

2: Create a role in the other account that is allowed to assume the DynamoDB role:

IAM Policy for App Role

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<DynamoDBAccountID>:role/<DynamoDBRoleName>" } }

3: Assume the role in your app. Here is an example in Python:

AssumeRole.py ` import boto3

def assumerole(account, rolename): sts_client = boto3.client('sts')

# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name.
assumedRoleObject = sts_client.assume_role(
    RoleArn="arn:aws:iam::" + account + ":role/" + rolename,
    RoleSessionName=account + "-" + rolename.replace('/','')
)
return assumedRoleObject

`

4: Run your DynamoDB commands with the assumed role's credentials

As for the networking side, just make sure your VPC in the application account has a DynamoDB endpoint and you should be good to go.

AWS-User-7543292
answered 4 years ago
  • rePost-User-4192123
    a year ago

    But this doesn't answer the question for cross-account VPC endpoint.

    e.g. I have a dynamo DB in account A and the AWS lambda function in account B. Created a VPC endpoint for dynamo DB in account B. I have created a cross-account role in Account A for Account B, to access dynamo DB (Created in Account A) in Account B via the AWS Lambda function. The cross-account role contains the following policy with VPC endpoint condtion (created in Account B) conditions.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "dynamodb:Scan",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpce": "vpce-xxxxxxxxxxxx"
                }
            }
        }
    ]
}

    The question is can we set up a cross-account VPC endpoint?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content