Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Accessing two tables from different accounts within the same lambda function

Is it possible to access two tables within one lambda function while one of the tables is in the same account as the lambda function and the other is in another account?

I've seen articles on cross-account access delegation using IAM roles here and there. But I'm not sure how the code should reflect accessing a resource from another account. This is how I usually access some DynamoDb table:

const dynamodb = new AWS.DynamoDB();
const docClient = new AWS.DynamoDB.DocumentClient({ service: dynamodb });
docClient
  .get({
    TableName: 'SomeTable',
    Key: { id }
  });

Looking at the documentation, there's no mention of account ID in the constructor. So I'm not sure how I can have two connections at the same time, one pointing to one account and the other pointing to another account!?

like image 663
Mehran Avatar asked Dec 24 '22 01:12

Mehran


1 Answers

Yes, it's possible to access 2 dynamoDb Tables (1 is in another AWS account) from same lambda function.

It's straight-forward to access the same Account's DynamoDB table.

dynamodb_client_of_same_account = boto3.client('dynamodb', region_name='us-east-1')

To access the Table of another AWS account, a new dynamoDb client needs to be created. You need to create cross account IAM Role and use STS to get temporary credentials. Follow the below steps to create cross account role.

AWS Account A has Lambda-----trying read/write on-----> AWS Account B with DynamoDB

Create an IAM Role in Account B to establish a Trust Relationship with Account A.

  1. Go to IAM Role -------> Create Role ------> Select *Another AWS account *in the widget-----> Type AWS Account A Id and create the role

  2. Don't forget to add DynamoDBAccess policy to this IAM Role.

Attach STS Assume Role policy to your AWS Lambda's Role in Account A

  1. Create a new policy with below JSON and attach this policy to your Lambda Role.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "" } ] }

  2. Use the below code to create a new client to access DynamoDB table in another account.

    roleARN = '*<ARN of the role created in Step-1>*'
    client = boto3.client('sts')
    response = client.assume_role(RoleArn=roleARN, 
                                  RoleSessionName='RoleSessionName', 
                                  DurationSeconds=900)
    
    dynamodb_client_for_other_account = boto3.client('dynamodb', region_name='us-east-1',
                aws_access_key_id=response['Credentials']['AccessKeyId'],
                aws_secret_access_key=response['Credentials']['SecretAccessKey'],
                aws_session_token = response['Credentials']['SessionToken'])
    
like image 149
singh30 Avatar answered Feb 09 '23 00:02

singh30