Home > Mobile >  How possible to share a DynamoDB table to be transparent among other members of an organization?
How possible to share a DynamoDB table to be transparent among other members of an organization?

Time:12-20

I've created an organization with a new management account call it MA and invited my personal account, call it A. What I wanted is to share a dynamodb table created by MA with the members of an organization (for instance with A that is under root).

For that, I've created a policy that grants full access to that table, attached to a brand new role joined to A ( that is a full member to the org ), but unfortunately, from A account, I can't see the table.

Where did I make a mistake?

Policy JSON - dynamodb-products-table-full-access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:ListContributorInsights",
                "dynamodb:DescribeReservedCapacityOfferings",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListTables",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:ListBackups",
                "dynamodb:PurchaseReservedCapacityOfferings",
                "dynamodb:DescribeLimits",
                "dynamodb:ListExports",
                "dynamodb:ListStreams"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "dynamodb:*",
            "Resource": "arn:aws:dynamodb:eu-central-1:<MA ID>:table/products"
        }
    ]
}

Another AWS account type role that attached to the A account. Role

CodePudding user response:

Follow the next steps:

  • Create a role in the "MA" account (DynameDB table owner) allowed to access the DynamoDB table.
  • Allow users in the "A" account to assume the role created in the "MA" account.
  • Use the 'Switch Role' AWS Console feature

Role in the "MA" account

It needs the permissions to access DynamoDB table. Statements showed on "dynamodb-products-table-full-access" policy are enough. Additionally, when creating the role, you need to define the "A" account as a trusted entity.

Trusted entity on creation

Trusted entity after creation

Users in the "A" account allowed to assume the role

On account "A" create a policy with the proper permissions to assume the role created on the previous step:

{
  "Version": "2012-10-17",
  "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::<MA_Account_ID>:role/DynamoFullAccess"
    }
}

Add that policy to the Permissions policies of the corresponding IAM User or IAM User Group:

Attach policy

Using the 'Swith Role' feature

Finally, when the account "A" user enter to the AWS Console, needs to use the "Switch role" feature:

Switch role

Enter the MA Account ID and the name of the role created on that account:

Swith role

And he will be able to use the table (note on the role assumed 'MA_Account_Dynamo'): Dynamo Table


Reference:

Delegate access across AWS accounts using IAM roles

  • Related