Is it possible to access two tables within one lambda function while one of the tables is in the same account as the lambda function and the other is in another account?
I've seen articles on cross-account access delegation using IAM roles here and there. But I'm not sure how the code should reflect accessing a resource from another account. This is how I usually access some DynamoDb table:
const dynamodb = new AWS.DynamoDB();
const docClient = new AWS.DynamoDB.DocumentClient({ service: dynamodb });
docClient
.get({
TableName: 'SomeTable',
Key: { id }
});
Looking at the documentation, there's no mention of account ID in the constructor. So I'm not sure how I can have two connections at the same time, one pointing to one account and the other pointing to another account!?
Yes, it's possible to access 2 dynamoDb Tables (1 is in another AWS account) from same lambda function.
It's straight-forward to access the same Account's DynamoDB table.
dynamodb_client_of_same_account = boto3.client('dynamodb', region_name='us-east-1')
To access the Table of another AWS account, a new dynamoDb client needs to be created. You need to create cross account IAM Role and use STS to get temporary credentials. Follow the below steps to create cross account role.
AWS Account A has Lambda-----trying read/write on-----> AWS Account B with DynamoDB
Create an IAM Role in Account B to establish a Trust Relationship with Account A.
Go to IAM Role -------> Create Role ------> Select *Another AWS account *in the widget-----> Type AWS Account A Id and create the role
Don't forget to add DynamoDBAccess policy to this IAM Role.
Attach STS Assume Role policy to your AWS Lambda's Role in Account A
Create a new policy with below JSON and attach this policy to your Lambda Role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "" } ] }
Use the below code to create a new client to access DynamoDB table in another account.
roleARN = '*<ARN of the role created in Step-1>*'
client = boto3.client('sts')
response = client.assume_role(RoleArn=roleARN,
RoleSessionName='RoleSessionName',
DurationSeconds=900)
dynamodb_client_for_other_account = boto3.client('dynamodb', region_name='us-east-1',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token = response['Credentials']['SessionToken'])
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With