Search code examples
amazon-web-servicesamazon-dynamodb

Accessing two tables from different accounts within the same lambda function

Is it possible to access two tables within one lambda function while one of the tables is in the same account as the lambda function and the other is in another account?

I've seen articles on cross-account access delegation using IAM roles here and there. But I'm not sure how the code should reflect accessing a resource from another account. This is how I usually access some DynamoDb table:

const dynamodb = new AWS.DynamoDB();
const docClient = new AWS.DynamoDB.DocumentClient({ service: dynamodb });
docClient
  .get({
    TableName: 'SomeTable',
    Key: { id }
  });

Looking at the documentation, there's no mention of account ID in the constructor. So I'm not sure how I can have two connections at the same time, one pointing to one account and the other pointing to another account!?

Solution

  • Yes, it's possible to access 2 dynamoDb Tables (1 is in another AWS account) from same lambda function.

    It's straight-forward to access the same Account's DynamoDB table.

    dynamodb_client_of_same_account = boto3.client('dynamodb', region_name='us-east-1')

    To access the Table of another AWS account, a new dynamoDb client needs to be created. You need to create cross account IAM Role and use STS to get temporary credentials. Follow the below steps to create cross account role.

    AWS Account A has Lambda-----trying read/write on-----> AWS Account B with DynamoDB

    Create an IAM Role in Account B to establish a Trust Relationship with Account A.

    1. Go to IAM Role -------> Create Role ------> Select *Another AWS account *in the widget-----> Type AWS Account A Id and create the role

    2. Don't forget to add DynamoDBAccess policy to this IAM Role.

    Attach STS Assume Role policy to your AWS Lambda's Role in Account A

    1. Create a new policy with below JSON and attach this policy to your Lambda Role.

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "" } ] }

    2. Use the below code to create a new client to access DynamoDB table in another account.

      roleARN = '*<ARN of the role created in Step-1>*'
client = boto3.client('sts')
response = client.assume_role(RoleArn=roleARN, 
                              RoleSessionName='RoleSessionName', 
                              DurationSeconds=900)

dynamodb_client_for_other_account = boto3.client('dynamodb', region_name='us-east-1',
            aws_access_key_id=response['Credentials']['AccessKeyId'],
            aws_secret_access_key=response['Credentials']['SecretAccessKey'],
            aws_session_token = response['Credentials']['SessionToken'])