Is it possible to have Lambda access a DynamoDB table in a Chinese AWS account from another account from a non-China region like us-west-2 or us-east-1?
Example:
Account 1, Region: us-east-1 Lambda function lives here that needs to access DynamoDB
Account 2, Region: cn-north-... DynamoDB table lives here
There are currentlh three separate and independent partitions in AWS.
There's aws (the one commonly thought of and referred to as "AWS"), aws-cn (China) and aws-us-gov (GovCloud US).
There appears to be no connection whatsoever among the three partitions -- even the "Global" namespace of S3 buckets is only global within each partition.
Operationally, it is as if there are three completely autonomous and independent "copies" of AWS. As such, there is no cross-account IAM access possible, because the partitions seem entirely unaware of each other.
You should be able to use IAM user credentials obtained from the China account to access resources in the aws-cn partition from anywhere. There should be no impediment to this, since the DynamoDB endpoint in cn-north-1 is accessible directly from the Internet. You'd need to pass these credentials to the DynamoDB client, rather than using the Lambda function's role credentials.
It is possible to access DynamoDB table from one region to another. When you use your SDK, update the region to cn-north that should take care from there.
var AWS = require('aws-sdk');
AWS.config.update({region: 'cn-north'});
var dynamodb = new AWS.DynamoDB();
dynamodb.batchGetItem(params, function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
If you are using another account, create a separate role (AssumeRole for another account) and add it to Lambda. You can also access with separate AccessKey and SecretKey. But Role is recommended.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
Hope it helps.
