- Newest
- Most votes
- Most comments
What you are trying to do is access a DynamoDB table in a different account. DynamoDB does not support Resource Based Policies (c.f. S3, KMS, SQS to name a few) the way you access DynamoDB is always with a principal of the account that provisioned the DynamoDB Table resource. So, by assuming a role in the account with the table you can access it.
Here is the process for cross-account role assume:
1: Create a role with access to the DynamoDB table in the DynamoDB account. I'll throw a rough example of what the IAM setup would look like below, note the variables you need to fill in in the <> blocks:
DynamoDB Role Trust Policy:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws:iam::<AppAccountID>:root" } } }
DynamoDB Role IAM Policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:List*", "dynamodb:DescribeReservedCapacity*", "dynamodb:DescribeLimits", "dynamodb:DescribeTimeToLive" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dynamodb:BatchGet*", "dynamodb:DescribeStream", "dynamodb:DescribeTable", "dynamodb:Get*", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWrite*", "dynamodb:CreateTable", "dynamodb:Delete*", "dynamodb:Update*", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:*:*:table/<TableName>" } ] }
2: Create a role in the other account that is allowed to assume the DynamoDB role:
IAM Policy for App Role
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<DynamoDBAccountID>:role/<DynamoDBRoleName>" } }
3: Assume the role in your app. Here is an example in Python:
AssumeRole.py ` import boto3
def assumerole(account, rolename): sts_client = boto3.client('sts')
# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name.
assumedRoleObject = sts_client.assume_role(
RoleArn="arn:aws:iam::" + account + ":role/" + rolename,
RoleSessionName=account + "-" + rolename.replace('/','')
)
return assumedRoleObject
`
4: Run your DynamoDB commands with the assumed role's credentials
As for the networking side, just make sure your VPC in the application account has a DynamoDB endpoint and you should be good to go.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a month ago
But this doesn't answer the question for cross-account VPC endpoint.
e.g. I have a dynamo DB in account A and the AWS lambda function in account B. Created a VPC endpoint for dynamo DB in account B. I have created a cross-account role in Account A for Account B, to access dynamo DB (Created in Account A) in Account B via the AWS Lambda function. The cross-account role contains the following policy with VPC endpoint condtion (created in Account B) conditions.
The question is can we set up a cross-account VPC endpoint?