0

I have a nodejs service running on an EC2 in account A. In addition, I have dynamoDB table in account B.

I want to query the table in account B, but by default, the package only gets tableName and query the current account.

Is it possible to add something like accountId to the AWS Config?

        dynamo.AWS.config.update({region: process.env.DYNAMO_DB_REGION});
Nitzan S
  • 1

1 Answers1

0

What you can do is that, you can create a role which has access to the dynamo db table in other account and provide permission in first account on which ec2 instance is, to assume that role. Then you can perform queries upon other account's dynamo db table with created role's credentials by assuming the role.

I did find a reference which includes lambda function as an example, you can apply similar pattern for your node.js service on EC2, please refer to - https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/configure-cross-account-access-to-amazon-dynamodb.html.

ouflak
  • 2,458
  • 10
  • 44
  • 49
Shubham Soni
  • 24
  • 8
  • First of all, thank you very much for the fast response. I do have a question about the code itself. In order to query the other account, I need to provide those params on the client config: aws_access_key_id=KEY_ID, aws_secret_access_key=ACCESS_KEY, aws_session_token=TOKEN. Aren't they temporary? We only set them at the ctor, won't they expire? – Nitzan S Feb 09 '22 at 13:38
  • You do not need to hardcode them. You will need to use STS. Use your default credentials to assume role, and then query in the table. If you do not know about roles, It is a way to provide dynamic credentials to your code so that you don't have to hard code them. Refer - https://stackoverflow.com/questions/45989042/using-profile-that-assume-role-in-aws-sdk-aws-javascript-sdk for code. To learn more about roles, refer - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html – Shubham Soni Feb 09 '22 at 13:43
  • Thanks again! I'm familiar with IAM roles, but the difference between code that is running on EC2 and lambdas is that in the lambda, dynamodb_client = boto3.client('dynamodb', [credentials]) will happen every time, so the STS Assume role will happen every time, but on 'normal' code that I ran until now, the credentials came from the IAM Role. So maybe this is what im missing? Won't it be much slower to get credentials for every single request? Thank you so much! – Nitzan S Feb 09 '22 at 14:00
  • Okay, in my opinion, you can develop a separate module, through which you will save timestamp when you generated credential and time of current request. If the difference has exceeded the validity time of credential, then you can generate another credential, otherwise use the same. Validity time of credentials you can configure in your sts request. – Shubham Soni Feb 09 '22 at 14:04
  • That was my thought as well. Thank you so so much!! much appreciated! – Nitzan S Feb 09 '22 at 14:14