I have a Lambda Function
running in a Tenant account that needs to query a DynamoDb Table B
inside the Tenant and then query a DynamoDb Table A
inside ROOT.
This is the code I have so far:
'use strict';
const AWS = require('aws-sdk');
const ddbDc = new AWS.DynamoDB.DocumentClient()
module.exports.testDynamo = async event => {
try {
let result
let params = {}
// Query Table B inside tenant
params = {
TableName: 'Table_B',
Key: { externalKey : 'CA6E03C' }
}
result = await ddbDc.get(params).promise()
console.log('π result - ', result)
// Query Table A inside ROOT
// Restart ddbDc CLIENT with ROOT credentials ?
params = {
TableName: 'Table_A',
Key: { externalKey : 'MAP_CA6E03C' }
}
result = await ddbDc.get(params).promise()
console.log('π result - ', result)
return {
statusCode: 200,
headers: {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Credentials': true
},
body: JSON.stringify(
{
response: response,
},
null,
2
),
}
} catch (error) {
console.error('π testDynamo - error.stack:', error.stack)
return {
statusCode: 400,
headers: {
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Credentials': true
},
body: JSON.stringify(error.stack)
}
}
}
I think I need to Restart ddbDc CLIENT with ROOT credentials
in order to get this access to the ROOT resources.
How Can I do that?
2
Answers
Using
Lambda function
andServerless Framework
do this:npm install --save-dev serverless-iam-roles-per-function
to install serverless-iam-roles-per-function. LinkIt will grant access to this lambda function
listComponentsRootDynamo
the access to Root-DynamoDb Table inside the Control Tower ROOT account.Note that the role that provide that access to the Dynamo specific tables must exist in the
ROOT-IAM Roles
. Just copy itsRole ARN
in theResource:
portion ofiamRoleStatements:
.Here is an example of the Role inside
Root
that provides that access to a specific Dynamo Table<DynamoDb-Table-Name>
:And Following the Lee Hannigan answer do this inside the
Lambda
that will query theRoot - DynamoDb Table
:You need to use STS AssumeRole and assume the role which you need to access that specific item/table.
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html