[英]Access a DynamoDB table from another account in another region?
Is it possible to have Lambda access a DynamoDB table in a Chinese AWS account from another account from a non-China region like us-west-2 or us-east-1? Lambda是否可以从非中国区域(例如us-west-2或us-east-1)的另一个账户访问中国AWS账户中的DynamoDB表?
Example: 例:
Account 1, Region: us-east-1 Lambda function lives here that needs to access DynamoDB 帐户1,区域:us-east-1 Lambda函数位于此处,需要访问DynamoDB
Account 2, Region: cn-north-... DynamoDB table lives here 帐户2,区域:cn-north -... DynamoDB表位于此处
There are currentlh three separate and independent partitions in AWS. AWS中目前有三个独立的分区。
There's aws
(the one commonly thought of and referred to as "AWS"), aws-cn
(China) and aws-us-gov
(GovCloud US). 有
aws
(通常被称为“ AWS”的aws-cn
), aws-cn
(中国)和aws-us-gov
(美国GovCloud)。
There appears to be no connection whatsoever among the three partitions -- even the "Global" namespace of S3 buckets is only global within each partition. 三个分区之间似乎没有任何连接-甚至S3存储桶的“全局”名称空间也仅在每个分区内是全局的。
Operationally, it is as if there are three completely autonomous and independent "copies" of AWS. 在操作上,就好像有三个完全独立且独立的AWS副本。 As such, there is no cross-account IAM access possible, because the partitions seem entirely unaware of each other.
这样,就无法进行跨帐户IAM访问,因为分区似乎完全不知道彼此。
You should be able to use IAM user credentials obtained from the China account to access resources in the aws-cn
partition from anywhere . 您应该能够使用从中国帐户获得的IAM用户凭据从任何地方访问
aws-cn
分区中的资源。 There should be no impediment to this, since the DynamoDB endpoint in cn-north-1 is accessible directly from the Internet. 这应该没有障碍,因为cn-north-1中的DynamoDB端点可以直接从Internet访问。 You'd need to pass these credentials to the DynamoDB client, rather than using the Lambda function's role credentials.
您需要将这些凭据传递给DynamoDB客户端,而不是使用Lambda函数的角色凭据。
It is possible to access DynamoDB table from one region to another. 可以从一个区域访问DynamoDB表到另一个区域。 When you use your SDK, update the region to
cn-north
that should take care from there. 使用SDK时,请从该区域更新为
cn-north
。
var AWS = require('aws-sdk');
AWS.config.update({region: 'cn-north'});
var dynamodb = new AWS.DynamoDB();
dynamodb.batchGetItem(params, function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
If you are using another account, create a separate role (AssumeRole for another account) and add it to Lambda. 如果您使用其他帐户,请创建一个单独的角色(另一个帐户为AssumeRole)并将其添加到Lambda。 You can also access with separate AccessKey and SecretKey.
您也可以使用单独的AccessKey和SecretKey进行访问。 But Role is recommended.
但是建议使用角色。
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
Hope it helps. 希望能帮助到你。
每个AWS服务都有公共API地址,您可以使用它们并自行签名请求以跨不同账户发送数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.