You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to do a direct integration with API Gateway to DynamoDB. If both are in the same accounts, this works just fine, I've had no problems with the integration.
If they're in separate accounts, I can't figure out how to signal to API Gateway that the dynamo table is in a different account.
This setup does not:
Account A: API Gateway
Account B: Dynamo DB
I have even created cross account roles and attached to api gateway execution role. Please find the below roles and policies I have created.
Even though I attached right execution role when I'm testing api from console, It is searching table in the same account.
Please refer below error message.
{"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::AccountA:assumed-role/apiGateway-DynamoDBcrossaccountRole/BackplaneAssumeRoleSession is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:AccountA:table/Reply because no identity-based policy allows the dynamodb:Query action"}
Please suggest me with possible ways to achieve cross account integration with DynamoDB.
The text was updated successfully, but these errors were encountered:
I'm trying to do a direct integration with API Gateway to DynamoDB. If both are in the same accounts, this works just fine, I've had no problems with the integration.
If they're in separate accounts, I can't figure out how to signal to API Gateway that the dynamo table is in a different account.
This setup does not:
Account A: API Gateway
Account B: Dynamo DB
I have even created cross account roles and attached to api gateway execution role. Please find the below roles and policies I have created.
Role in Account A:
Role name: apiGateway-DynamoDBcrossaccountRole.
TrustRelation:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
customer inline policy attached to apiGateway-DynamoDBcrossaccountRole in accountA:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::AccountB:role/dynamoToApigatewayRole"
]
}
]
}
Role in Account B:
Role name: dynamoToApigatewayRole
Trust Relation:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:role/apiGateway-DynamoDBcrossaccountRole"
},
"Action": "sts:AssumeRole"
}
]
}
Permission: DynamoDBFullAccess.
Even though I attached right execution role when I'm testing api from console, It is searching table in the same account.
Please refer below error message.
{"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::AccountA:assumed-role/apiGateway-DynamoDBcrossaccountRole/BackplaneAssumeRoleSession is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:AccountA:table/Reply because no identity-based policy allows the dynamodb:Query action"}
Please suggest me with possible ways to achieve cross account integration with DynamoDB.
The text was updated successfully, but these errors were encountered: