- 최신
- 최다 투표
- 가장 많은 댓글
Hi,
Reading your post, I see you call out two separate regions.
The IAM policy calls out us-east-1
I have created a role in Account B called DynDBReadAccess with a policy that allows someone to perform the dynamodb:GetItem action on the table arn:aws:dynamodb:us-east-1:<Account B>:table/myTable.
You then follow that with the error message, showing ap-southeast-1
An error occurred (AccessDeniedException) when calling the GetItem operation: User: arn:aws:sts::<Account B>:assumed-role/DynDBReadAccess/crossAccountSession is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:ap-southeast-1:<Account B>:table/myTable
This suggests that maybe your IAM policy or CLI tools are referencing the incorrect region. Based on this, can you confirm the location of the DynamoDB table and that your IAM policy (first quote, showing "us-east-1") is indeed matching the true location for the table.
Other things that you might want to check, but are less likely.
-
You check the caller identity before you set the environment variables to assume the role. It might be worth doing this after (but before the DynamoDB call) to debug the situation, to ensure the environment variables are applying correctly
-
Provide the CLI tools with a region like "--region us-east-1". This will likely be required if you table is in a different region to EC2/EKS.
I hope this helps.