1

I have an aws ecs ec2 instance in one account and it is trying to access the dynamob db tables on another aws account. I am not using any aws access key and id, instead using AWS iam role attached to the ec2 instance.

This is a .net project and my appsettings.Staging.json is this. 

{
  "aws": {
    "region": "ap-southeast-1"
  },
  "DynamoDbTables": {
    "BenefitCategory": "stag_table1",
    "Benefit": "stag_table2"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Debug",
      "System": "Information",
      "Microsoft": "Information"
    }
  }
}

Here is my inline policy attached to the "ecsInstanceRole"

"xxxxxxxxxxxxx" >> this is the aws account on which the dynamodb table resides. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:DescribeTable",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteTable",
                "dynamodb:UpdateTable",
                "dynamodb:GetRecords"
            ],
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-1:xxxxxxxxxxx:table/stag_table1",
                "arn:aws:dynamodb:ap-southeast-1:xxxxxxxxxxx:table/stag_table2",
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "dynamodb:ListGlobalTables",
                "dynamodb:ListTables"
            ],
            "Resource": "*"
        }
    ]
}

In this set up the api is trying to connect to the table in the same account. I have added the other aws account in the trusted entity in the role ecsInstanceRole still not working.

is there any way the aws sdk or aws ecs/ec2 instance automatically find dynamodb table in the other aws account?

sandeep krishna
  • 415
  • 2
  • 9
  • 28

1 Answers1

3

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

A role policy for ec2 will be needed in both accounts, and a trust policy allowing the EC2 service to assume those roles. The role policy in the Destination account will have give IAM permissions to the Dynamodb table.

Then the Source EC2 instance will have to assume that role to get access to the table.

Grant the EC2 Server access to assume the role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "abcdTrustPolicy",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Principal": {"AWS": "arn:aws:iam::SOURCE_ACCOUNT_ID:role/NAME_A"}
        }
    ]
}

Allowing NAME_A Instance Profile Role to Switch to a Role in Another Account

    {
      "Version": "2012-10-17",
      "Statement": [
       {
         "Sid": "AllowToAssumeCrossAccountRole",
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam::DESTINATION_ACCOUNT_ID:role/ACCESS_DYNAMODB"
        }
      ]
    }

Role granting access to Dynamodb named ACCESS_DYNAMODB

    {
       "Version": "2012-10-17",
       "Statement": [
          {
              "Sid": "AllowDDBActions",
              "Effect": "Allow",
              "Action": [
                "dynamodb:*"
              ],
             "Resource": "*"
          }
       ]
    }

Trust policy in Destination 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DestinationTrustPolicy",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Principal": {"Service": "ec2.amazonaws.com"}
        }
    ]
}
strongjz
  • 4,271
  • 1
  • 17
  • 27
  • 1
    thanks I am looking into it. A bit confused The first and the last 2 policy is the be added under the destination aws account. ie the account that has only the dynamodb tables and the 2 nd policy is to be added into the source aws account that has the aws ecs ec2 instance right? – sandeep krishna Apr 25 '19 at 10:39
  • 1
    Also should we use the mention the destination aws account number in the .net code? – sandeep krishna Apr 25 '19 at 10:51
  • @sandeepkrishna have you figured it out? I wonder if you had to modify your code to assume the role first? Thanks. – void Apr 29 '20 at 05:30
  • 1
    @void I did not get time to check it. I moved my entire development environment to a new aws account so no need for cross account dynamodb now. But I guess it should work. – sandeep krishna Jun 02 '20 at 04:45