How to access a DynamoDB Table in a different Account via Assume Role (Read/Write)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's up everyone welcome back to another episode of aws tutorial and today i'll show you how to access the dynamodb table in a different account using a zoom roll i'm just using dynamodb as an example in this tutorial but the idea can apply to other services as well such as s3 and kinesis so without further ado let's get to it alright so right now log into two different aws accounts i have account number one here and then i have account number two so what we're gonna do in this tutorial is that we're gonna first in account number two we're gonna create a dynamodb table that we can operate on and then we're gonna create an item row that allows account number one to assume and then we're going to move on to account number one to create an item row to assume this row and then finally we're going to create a lambda function that uses this item row and then we're going to write a code to access the dynamodb table and now let's go back to the aws console we have account number two so i'm going to type in dynamodb create table i'm just going to call it test table and then i'm going to use account id as the primary key a string and then leave everything as default create all right so it's done and now we're going to create an item row for account number one to assume so i am rose create row and we're going to choose the second option and now the aws account and then we're going to go to account number one copy the account id we're going to paste it here in the next permission and we're going to add the dynamodb db4 permission so that when account number one assumes this row it has access to our dynamodb table so hit next next row name dynamodb full access raw hit create all right so it's done and now let's go to account number one and create an item row to assume this so i in account number one i'll type in iam all right so before we can create an imrobe we need to create a custom policy that defines how we're going to assume the role that we just created in account number two so i'm going to hit policies create and then json and here inside statement we're going to add a json object is gonna have effect allow and then action inside action we're gonna say sts and then we're gonna say assume row and resources and this is going to be the on for the item row that we just created in account number two so we're going to go back to number two and then this is the row that we just created so i'm going to click on it and then copy this go back to account number one paste it here so what this statement means is that it allows the item row in account number one to assume this item row which is in account number two so this is done we're going to hit next next give it a name i will just call it dynamodb test zoom policy good enough great and now we can create an item row to use this policy so i'm going to hit rows create row we're going to select lambda because the lambda function is going to use it permission and then we're going to attach the policy that we just created i believe it's that one hit next next i'll just call it dynamodb full access row aws one create row all right so it's done and now let's move on to create a lambda function create from scratch give it a name let's call it dynamodb test lambda we're going to use python and permission we're going to attach the row that we just created and then we're going to create a function all right so before we get to the lambda code let's go back to account number two and insert an item to the dynamodb so we can read from it so go back to account number two dynamodb create item and then first name felix something to be something all right hit save so now we have one item and now we're going to try to read that from account number one so go back to account number one lambda click on the lambda function we're going to delete everything here so first thing first we're going to import photo3 and then we're going to define a sts client from bordeaux3 client sts and then inside the lambda function we're going to do sts response which is sds client dot assume row and then i believe it takes in the arm and that is the row that we created in account number two so we're gonna go back to account number two copy this on paste it here and then the second attribute is the row session name i believe we can just call it whatever and then next is the duration in seconds where the sts token is valid i'll just give it five minutes i think that's the minimum and then now we can define a dynamodb client for account number two so let's call it aws two dynamodb client equal to portal 3 client dynamodb region u.s east one because that's the region where we define our dynamodb table in account number two and then next it takes in the access key id and we're gonna get that from the sts response so like that credentials access key id the next it's going to take in the secret access key and same thing we're gonna take that from the sts response and then finally it's gonna take in the token okay that is it for the client and now we can use it to get item that we just defined so let's say response aws two then more client let's just do get item table name i believe we call it let's go back to account number two we call it test table go back to account number one and then the key i think we use account id as the primary key and it's a string and i believe i'm just going to copy this go back paste it here and now let's just return the response okay let's test it out so hit save or deploy and then test test and there you go it's able to get the item from the table in account number two and that's exactly what the attributes are we have first name felix and then something to be something so seems like it's working and now you may want to ask what if i want to use the lambda function to access the dynamodb table in account number one as well well that is simple you can just define a different dynamodb client for account number one so for example you can do something like aws one dynamodb client equal to builder 3 klein and then the region name to be whatever region your dynamodb is so in this way you have two clients that is for account number one specifically and that one is for account number two specifically so you can access dynamodb tables in both accounts at the same time in one lambda function and that is it for today's tutorial if you guys like this video i hope you can give it a thumbs up and i'll see you in the next video
Info
Channel: Felix Yu
Views: 900
Rating: undefined out of 5
Keywords: aws, dynamodb, lambda, cross account access, assume role, iam role, read items
Id: bSrEGarJ1wQ
Channel Id: undefined
Length: 10min 31sec (631 seconds)
Published: Fri Jun 18 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.