How Can I connect Dynamodb in Account A with glue job in Account B which generates output in s3 at account B ?

0

I want to consume data from different AWS account dynamodb using glue

asked 2 months ago58 views
1 Answer
1

Its outlined in this doc: https://docs.aws.amazon.com/glue/latest/dg/cross-account-access.html

Specifically:

Granting cross-account access using an IAM role

The following are the general steps for granting cross-account access using an IAM role:

  • An administrator (or other authorized identity) in the account that owns the resource (Account A) creates an IAM role.
  • The administrator in Account A attaches a policy to the role that grants cross-account permissions for access to the resource in question.
  • The administrator in Account A attaches a trust policy to the role that identifies an IAM identity in a different account (Account B) as the principal who can assume the role. The principal in the trust policy can also be an AWS service principal if you want to grant an AWS service permission to assume the role.
  • An administrator in Account B now delegates permissions to one or more IAM identities in Account B so that they can assume that role. Doing so gives those identities in Account B access to the resource in account A.

For more information about using IAM to delegate permissions, see Access management in the IAM User Guide. For more information about users, groups, roles, and permissions, see Identities (users, groups, and roles) in the IAM User Guide.

For a comparison of these two approaches, see How IAM roles differ from resource-based policies in the IAM User Guide. AWS Glue supports both options, with the restriction that a resource policy can grant access only to Data Catalog resources.

For example, to give the Dev role in Account B access to database db1 in Account A, attach the following resource policy to the catalog in Account A.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabase"
      ],
      "Principal": {"AWS": [
        "arn:aws:iam::account-B-id:role/Dev"
      ]},
      "Resource": [
        "arn:aws:glue:us-east-1:account-A-id:catalog",      
        "arn:aws:glue:us-east-1:account-A-id:database/db1"
      ]
    }
  ]
}

In addition, Account B would have to attach the following IAM policy to the Dev role before it would actually get access to db1 in Account A.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabase"
      ],
      "Resource": [
        "arn:aws:glue:us-east-1:account-A-id:catalog",      
        "arn:aws:glue:us-east-1:account-A-id:database/db1"
      ]
    }
  ]
}
profile pictureAWS
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions