API-gateway to DynamoDB cross account integration #636
Description
I'm trying to do a direct integration with API Gateway to DynamoDB. If both are in the same accounts, this works just fine, I've had no problems with the integration.
If they're in separate accounts, I can't figure out how to signal to API Gateway that the dynamo table is in a different account.
This setup does not:
Account A: API Gateway
Account B: Dynamo DB
I have even created cross account roles and attached to api gateway execution role. Please find the below roles and policies I have created.
Role in Account A:
Role name: apiGateway-DynamoDBcrossaccountRole.
TrustRelation:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
customer inline policy attached to apiGateway-DynamoDBcrossaccountRole in accountA:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::AccountB:role/dynamoToApigatewayRole"
]
}
]
}
Role in Account B:
Role name: dynamoToApigatewayRole
Trust Relation:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:role/apiGateway-DynamoDBcrossaccountRole"
},
"Action": "sts:AssumeRole"
}
]
}
Permission: DynamoDBFullAccess.
Even though I attached right execution role when I'm testing api from console, It is searching table in the same account.
Please refer below error message.
{"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::AccountA:assumed-role/apiGateway-DynamoDBcrossaccountRole/BackplaneAssumeRoleSession is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:AccountA:table/Reply because no identity-based policy allows the dynamodb:Query action"}
Please suggest me with possible ways to achieve cross account integration with DynamoDB.