如何使用 AccountB 的用户 CLI 凭证从 AccountA 访问 DynamoDB 表？

Question

I have created one table in Dynamodb and setup role in IAM with following policy attached:

{
  "Version": "2012-10-17",
  "Statement": [{
        "Effect": "Allow",
        "Action": "dynamodb:*",
        "Resource": "arn:aws:dynamodb:ap-south-1:**AccountAID**:table/employee"
  }]
}

I have added trusted entity AccountB ID in the role. Then I have also created policy in AccountB for the access of dynamodb table created in AccountA with following policy:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": "*",
            "Resource": "arn:aws:iam::**AccountAID**:role/DynamodbCrossAccountAccessRole"
    }]
}

I have configured profiles of AccountA user and AccountB user and with the credentials of AccountA's profile user, I can list tables of dynamodb but while trying to get with AccountB's profile user I always returns with empty-table list.

Krunal-MacBook-Air:.aws krunal$ aws dynamodb list-tables --profile Krunal { "TableNames": [ "employee" ] } Krunal-MacBook-Air:.aws krunal$ aws dynamodb list-tables --profile Krunal2 { "TableNames": [] }

Can anyone help me out of this why am I not able to access dynamodb with AccountB's profile? Policies are attached to the account users respectively.

Answer 1

Based on the comments.

The issue was solved by assuming the role in AccountB. The useful links showing how to do this are:

• Cross-Account Access Control with Amazon STS for DynamoDB
• Delegate Access Across AWS Accounts Using IAM Roles

Answer 2

Based on the comments and with the help of provided documents, I can access to my AccountB's resources. I have configured generated API Key, Secret Key and Tokens in credentials file of my profile and it's working as expected.