DynamoDB Cross Account Access

Use-Case: EC2 Instance in account A wants to access DynamoDB tables in Account B.

Pre-Requisites

  • Account A instances to assume role for DynamoDB access in Account B

Steps

Account A (EC2 Instance): - Create a Role called CrossDDBAccess (or whatever you want to name it)

  • IAM Console  
  • Click on Roles, Create New Role, Name Role
  • Select Amazon EC2 Service Role
  • Click Next without selecting Permission Policy  - Create

Add Role Permission Policy

  • Click on Role (takes you to Details page)  
  • Click on Permissions tab  
  • Click on Inline Policy  
  • Click "To create one, click here"  
  • Click "Select" next to Policy Generator  
  • Make sure it is set to "Allow"  
  • Select AWS Security Token Service from Service dropdown menu  
  • Select the Action "AssumeRole"  
  • Enter the ARN as * for now, we'll adjust this after the next steps  
  • Copy the full Role ARN as show on the Details page, you'll need this

Account B (DynamoDB): - Create a Role called CrossActDDBAccess (or again, whatever you want to name it)

  • IAM Console  
  • Click on Roles  - Create New Role  - Name Role  
  • Select Role for Cross Account Access  
  • Select "Provide access between AWS accounts you own"  
  • Enter the Account B Account Number  
  • Click Next without selecting Permission Policy  - Create

Add Role Permission Policy

  • Click on Role (takes you to Details page)  
  • Click on Permissions tab
  • Click on Managed Policies  
  • Click "Attach Policy"  
  • In the Search bar type DynamoDB  
  • Select the Policy named "AmazonDynamoDBReadOnlyAccess" from the options  
  • Click Attach

Copy the Role ARN from the Details Page  (arn:aws:iam::ACCOUNTB:role/CrossActDDBAccess)

Go back to Account A and click on the Role you created, click on Edit  Policy on the Inline Policy you created, and replace Resource "*" with  the ARN from Account B.

Resources