aws cross account dynamodb access with IAM role
I have an aws ecs ec2 instance in one account and it is trying to access the dynamob db tables on another aws account. I am not using any aws access key and id, instead using AWS iam role attached to the ec2 instance.
This is a .net project and my appsettings.Staging.json is this.
{
"aws": {
"region": "ap-southeast-1"
},
"DynamoDbTables": {
"BenefitCategory": "stag_table1",
"Benefit": "stag_table2"
},
"Logging": {
"LogLevel": {
"Default": "Debug",
"System": "Information",
"Microsoft": "Information"
}
}
}
Here is my inline policy attached to the "ecsInstanceRole"
"xxxxxxxxxxxxx" >> this is the aws account on which the dynamodb table resides.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:DescribeTable",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:DeleteTable",
"dynamodb:UpdateTable",
"dynamodb:GetRecords"
],
"Resource": [
"arn:aws:dynamodb:ap-southeast-1:xxxxxxxxxxx:table/stag_table1",
"arn:aws:dynamodb:ap-southeast-1:xxxxxxxxxxx:table/stag_table2",
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"dynamodb:ListGlobalTables",
"dynamodb:ListTables"
],
"Resource": "*"
}
]
}
In this set up the api is trying to connect to the table in the same account. I have added the other aws account in the trusted entity in the role ecsInstanceRole still not working.
is there any way the aws sdk or aws ecs/ec2 instance automatically find dynamodb table in the other aws account?
Answer
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
A role policy for ec2 will be needed in both accounts, and a trust policy allowing the EC2 service to assume those roles. The role policy in the Destination account will have give IAM permissions to the Dynamodb table.
Then the Source EC2 instance will have to assume that role to get access to the table.
Grant the EC2 Server access to assume the role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "abcdTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "arn:aws:iam::SOURCE_ACCOUNT_ID:role/NAME_A"}
}
]
}
Allowing NAME_A Instance Profile Role to Switch to a Role in Another Account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToAssumeCrossAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::DESTINATION_ACCOUNT_ID:role/ACCESS_DYNAMODB"
}
]
}
Role granting access to Dynamodb named ACCESS_DYNAMODB
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDDBActions",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "*"
}
]
}
Trust policy in Destination
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DestinationTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"Service": "ec2.amazonaws.com"}
}
]
}