7

Is it possible to access two tables within one lambda function while one of the tables is in the same account as the lambda function and the other is in another account?

I've seen articles on cross-account access delegation using IAM roles here and there. But I'm not sure how the code should reflect accessing a resource from another account. This is how I usually access some DynamoDb table:

const dynamodb = new AWS.DynamoDB();
const docClient = new AWS.DynamoDB.DocumentClient({ service: dynamodb });
docClient
  .get({
    TableName: 'SomeTable',
    Key: { id }
  });

Looking at the documentation, there's no mention of account ID in the constructor. So I'm not sure how I can have two connections at the same time, one pointing to one account and the other pointing to another account!?

Mehran
  • 15,593
  • 27
  • 122
  • 221
  • Possible duplicate of [AWS: Boto3: AssumeRole example which includes role usage](https://stackoverflow.com/questions/44171849/aws-boto3-assumerole-example-which-includes-role-usage) – ydaetskcoR Feb 14 '19 at 14:11
  • @ydaetskcoR I honestly don't see how that question has anything to do with mine! Maybe because that question is in Python and mine is in Nodejs. But that does not help me at all. – Mehran Feb 14 '19 at 14:24

2 Answers2

14

Yes, it's possible to access 2 dynamoDb Tables (1 is in another AWS account) from same lambda function.

It's straight-forward to access the same Account's DynamoDB table.

dynamodb_client_of_same_account = boto3.client('dynamodb', region_name='us-east-1')

To access the Table of another AWS account, a new dynamoDb client needs to be created. You need to create cross account IAM Role and use STS to get temporary credentials. Follow the below steps to create cross account role.

AWS Account A has Lambda-----trying read/write on-----> AWS Account B with DynamoDB

Create an IAM Role in Account B to establish a Trust Relationship with Account A.

  1. Go to IAM Role -------> Create Role ------> Select *Another AWS account *in the widget-----> Type AWS Account A Id and create the role

  2. Don't forget to add DynamoDBAccess policy to this IAM Role.

Attach STS Assume Role policy to your AWS Lambda's Role in Account A

  1. Create a new policy with below JSON and attach this policy to your Lambda Role.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "" } ] }

  2. Use the below code to create a new client to access DynamoDB table in another account.

    roleARN = '*<ARN of the role created in Step-1>*'
client = boto3.client('sts')
response = client.assume_role(RoleArn=roleARN, 
                              RoleSessionName='RoleSessionName', 
                              DurationSeconds=900)

dynamodb_client_for_other_account = boto3.client('dynamodb', region_name='us-east-1',
            aws_access_key_id=response['Credentials']['AccessKeyId'],
            aws_secret_access_key=response['Credentials']['SecretAccessKey'],
            aws_session_token = response['Credentials']['SessionToken'])
singh30
  • 1,335
  • 17
  • 22
-1

you could create a IAM user on the second account,
add DynamoDB permissions and get access/key secret for it
and then:

const dynamodb1 = new AWS.DynamoDB();
const dynamodb2 = new AWS.DynamoDB({
    accessKeyId:     'x',
    secretAccessKey: 'y',
    region: 'z',
})

dynamodb1 will work with the role permissions from lambda
and dynamodb2 with the IAM user from the second account

Adrian Praja
  • 402
  • 2
  • 5
  • 1
    You could do this, and it would work, but it's not the best practice. The solution is to delegate access across AWS accounts using IAM roles. – jarmod Feb 14 '19 at 16:49