Reputation: 563
Fargate cross account DynamoDB access
I have DynamoDB in account A and Fargate service in account B. I want to access the DynamoDB from Fargate service. For this,
1. Created an IAM role in account A that has the policy attached for DynamoDB access.
2. Created an IAM role in account B that is attached to a policy that assumes role created in account A.
3. Added account B ID in the trusted relationship of account A.
In the code for creating DynamoDBClient, used STSAssumeRoleSessionCredentialsProvider by passing the ARN of role created in account A. When running the service, getting an Access Denied error.
User: <ARN of ECS task> is not authorized to perform: sts:AssumeRole on resource: <ARN of role created in account A> (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDeniedException;
ARN of ECS task is of format arn:aws:sts::<accountId of B>:assumed-role/<ECSTaskInstanceID>.
Please note ecs-tasks.amazonaws.com is added to trusted relation in account B with action of sts:AssumeRole.
- Is STSAssumeRoleSessionCredentialsProvider supported in Fargate?
- Is there any additional step required like AWS access key creation?
- Any reason for 403?
Upvotes: 0
Views: 752
Answers (0)
Related Questions
- AWS dynamoDB to Athena Cross Account
- DynamoDB access management cross-account cross-region
- AWS DynamoDB user authorization
- AWS cross account Postgres RDS IAM authentication
- Dynamo DB credential management
- dynamoDB 'Requested resource not found' accessing cross aws account
- aws cross account dynamodb access with IAM role
- DynamoDB Fine Grain Access with Cognito
- API Gateway DynamoDB cross account integration
- security token invalid exception from aws dynamodb- .net core sdk