I'm trying to do a direct integration with API Gateway to DynamoDB. If both are in the same accounts, this works just fine, I've had no problems with the integration.
If they're in separate accounts, I can't figure out how to signal to API Gateway that the dynamo table is in a different account.
This setup does not:
Account A: API Gateway
Account B: Dynamo DB
I have even created cross account roles and attached to api gateway execution role. Please find the below roles and policies I have created.
Even though I attached right execution role when I'm testing api from console, It is searching table in the same account.
Please refer below error message.
{"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::AccountA:assumed-role/apiGateway-DynamoDBcrossaccountRole/BackplaneAssumeRoleSession is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:AccountA:table/Reply because no identity-based policy allows the dynamodb:Query action"}
Please suggest me with possible ways to achieve cross account integration with DynamoDB.
I'm trying to do a direct integration with API Gateway to DynamoDB. If both are in the same accounts, this works just fine, I've had no problems with the integration.
If they're in separate accounts, I can't figure out how to signal to API Gateway that the dynamo table is in a different account.
This setup does not:
Account A: API Gateway Account B: Dynamo DB
I have even created cross account roles and attached to api gateway execution role. Please find the below roles and policies I have created.
Role in Account A: Role name: apiGateway-DynamoDBcrossaccountRole. TrustRelation: { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } customer inline policy attached to apiGateway-DynamoDBcrossaccountRole in accountA: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::AccountB:role/dynamoToApigatewayRole" ] } ] } Role in Account B: Role name: dynamoToApigatewayRole Trust Relation: { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountA:role/apiGateway-DynamoDBcrossaccountRole" }, "Action": "sts:AssumeRole" } ] } Permission: DynamoDBFullAccess.
Even though I attached right execution role when I'm testing api from console, It is searching table in the same account. Please refer below error message. {"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::AccountA:assumed-role/apiGateway-DynamoDBcrossaccountRole/BackplaneAssumeRoleSession is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:AccountA:table/Reply because no identity-based policy allows the dynamodb:Query action"}
Please suggest me with possible ways to achieve cross account integration with DynamoDB.