amazon-web-servicesamazon-s3amazon-dynamodbdevopsaws-codebuild
Export DynamoDB to S3 to another account using Codebuild
I've created a codebuild to run the following command.
aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED \
--s3-bucket REDACTED \
--s3-bucket-owner REDACTED
I've also created a service-role and attached the following inline policy.
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::REDACTED/*",
"arn:aws:s3:::REDACTED"
]
}
Finally, I've updated the S3 bucket to allow the service-role to write to the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:role/service-role/REDACTED"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::REDACTED/*",
"arn:aws:s3:::REDACTED"
]
}
]
}
The codebuild invokes the command correctly, but the export fails because of permissions.
[Container] 2022/03/08 11:50:42 Running command aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED \
--s3-bucket REDACTED \
--s3-bucket-owner REDACTED
{
"ExportDescription": {
"ExportArn": "arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED/export/REDACTED",
"ExportStatus": "IN_PROGRESS",
"StartTime": "2022-03-08T11:50:46.714000+00:00",
"TableArn": "arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED",
"TableId": "REDACTED",
"ExportTime": "2022-03-08T11:50:46.714000+00:00",
"ClientToken": "REDACTED",
"S3Bucket": "REDACTED",
"S3BucketOwner": "REDACTED",
"S3SseAlgorithm": "AES256",
"ExportFormat": "DYNAMODB_JSON"
}
}
[Container] 2022/03/08 11:50:46 Phase complete: BUILD State: SUCCEEDED
If I invoke from the AWS Console (i.e. as my user) I am able to export cross account. But using codebuild and the command above, it fails.
What am I missing?
Solution
I fixed this.
The issue was referencing the wrong accountId within the aws dynamodb export-table-to-point-in-time CLI command.
- How to use MFA with AWS CLI?
- How do I get the URL for the item using the Amazon API
- How to make links work with exported sites when hosted on AWS Cloudfront?
- Error launching CloudFormation Template for CloudHSM
- Glacier as Resource in CloudFormation template?
- how to secure keys for API calls from android device to amazon services
- Why is this IAM policy denying access with an MFA session?
- AWS Lambda Function Trigger API Gateway Issue
- GetMyFeesEstimate API Amazon vba
- AWS Cloudformation !Ref SecurityGroup returns an invalid ID
- How to set up AWS Client VPN with Keycloak as IdP
- How to view/identify which process taking how much memory?
- using bottlenose in python to extract product price from Amazon in different locale
- Unable to delete cfn stack, role is invalid or cannot be assumed
- How to Set Up Account Linking for a Skill using Alexa API from Amazon?
- GitHub actions "aws: not found" error on ubuntu-latest with Godot CI
- Download file from S3 to Rails 4 app
- Cloudfront (CDN) with Internal Application Load Balancer
- Connecting private load balancer to cloud front distribution?
- Request to Amazon API with delphi : Got HTTP/1.1 403 Forbidden
- Amazon QuickSight Connects Over Internet Instead of VPC to Public Redshift Cluster
- Shift Lambda infrastructure to ECS
- IAM policy to allow EC2 instance API access only to modify itself
- How to match these 2 tables?
- What is the best way of getting files from AWS S3, inserting them into zip and uploading that zip to the bucket?
- What does this mean? An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Signature expired
- AWS ElastiCache in cluster mode has no Primary / Reader endpoints
- How to query: filtering on multiple primary partition keys and range on primary sort key
- How can I get boto3 script to run as a Lambda function?
- Testing AWS CDK Applications Locally