How to create/access multiple Dynamo DB tables in different AWS accounts from EC2 service?

2
votes

The use case is:

  1. User wants the Dynamo DB table to be created in their AWS account using my service. This is optional depends on the user we also have to make the dynamo db table in our AWS account as well.

  2. Now the user will be putting data and all the operation using my service in the Dynamo DB table created in his/her AWS account.

What I have tried:

User can create a IAM role and we can switch the role and then access the dynamo DB service and do all the operations, but while doing in a EC2 can we assume multiple roles at a time? as will be having multiple users. Is this feasible for multiple users, if yes how?

In this case user needs to make a role and then we need to assume it, in order to reduce of user is it possible that we make a IAM User in our AWS account and then "user" will just needs to whitelist our IAM user and then we are good to go, may be we can use access key and secret key for this.

Is it feasible to achieve what we are aiming for, what are possible solutions?

1
amazon-web-servicesamazon-ec2amazon-dynamodbamazon-iam

1 Answers

4
votes

Each user should create a cross-account IAM role in his/her AWS account that can be assumed by an IAM role in your account. You'll need to share details with each user so that they can set up this IAM role correctly, and they will need to share the ARN of the IAM role with you. You can help them by pre-creating a sample IAM policy that has the correct permissions and document that policy to them so they can copy/paste it into a new policy in their account. You'll also need to agree the shared DynamoDB table name (probably best to just make it the same name in each account).

Launch your EC2 instance with your IAM role (that allows access to your master DynamoDB table, and has permission to assume roles in the user accounts). As needed, your application can assume the relevant role in the user's account and using that second set of (STS) credentials, create a new service object using the AWS SDK of your choice. So, now you have 1+N service objects: 1 for your master account and N for the N user accounts that you are trying to operate in.

You're using Node.js, in which the DynamoDB service object is constructed like so:

const options = { region: abc, credentials: xyz };    
const dynamodb = new AWS.DynamoDB(options);

Don't use IAM users for this - use roles instead. Don't write configuration files with credentials in them - use an instance profile for your EC2 instance and use assumed, cross account IAM roles for access to the user tables.