问题
In my use case, I want to access DynamoDB table created in AWS account A and Lambda created in account B. For this I have followed many references on Internet which suggests me to use AWS assume role feature.
I have added following permission in Lambda execution role
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::aws-account-A-number:role/test-db-access"
   }
}
Following is the trust relationship of Lambda
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
           "Service": "lambda.amazonaws.com"
       },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
      "AWS": "arn:aws:iam::aws-account-A-number:root"
       },
     "Action": "sts:AssumeRole"
    }
  ]
}
In account A, I have created role(test-db-access) for allowing others to access this account and added AmazonDynamoDBFullAccess  and AdministratorAccess policies. Following is the trust relationship I have added in this account
{
  "Version": "2012-10-17",
   "Statement": [
     {
        "Effect": "Allow",
        "Principal": {
        "AWS": "arn:aws:iam::aws-account-B-number:role/sam-dev-test- 
            TestLambda-LambdaRole-1FH5IC18J0MYT"
         },
       "Action": "sts:AssumeRole"
     },
     {
       "Effect": "Allow",
       "Principal": {
           "Service": "lambda.amazonaws.com"
         },
       "Action": "sts:AssumeRole"
     }
  ]
}
Following is the Java code I have added to access Dynamo DB instance
AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
            .withRoleArn("arn:aws:iam::aws-account-A-number:role/test-db-access").withRoleSessionName("cross_acct_lambda").withDurationSeconds(900);
final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withRegion("eu-west-1").build();
final Credentials credentials = sts.assumeRole(assumeRequest).getCredentials();
following is the crash log coming on executing lambda
{
  "errorMessage": "User: arn:aws:sts::aws-account-B-number:assumed-role/sam-dev-test-TestLambda-LambdaRole-1FH5IC18J0MYT/sam-dev-test-TestLambda-LambdaFunction-73TVOBN6VXXX is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::aws-account-A-number:role/test-db-access (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 100bd3a3-3f9c-11ea-b642-d3b4d9ff35de)",
  "errorType": "com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException"
}
回答1:
It appears your requirements are:
- From an AWS Lambda function in Account-B, access a DynamoDB table inAccount-A
To reproduce your situation I did the following:
- Created a DynamoDB table in Account-A
- Created an IAM Role (Role-A) inAccount-Awith the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "dynamodb:*",
            "Resource": "arn:aws:dynamodb:ap-southeast-2:<Account-A>:table/Inventory"
        }
    ]
}
And this Trust Relationship (pointing to the Role created in the next step):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<Account-B>:role/role-b"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
- Created an IAM Role (Role-B) inAccount-Bfor use with the Lambda function, with this policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<Account-A>:role/role-a"
        }
    ]
}
And with this Trust Relationship:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
- Created an AWS Lambda function in Account-Bthat will:- Assume Role-AinAccount-A
- Access the DynamoDB table in Account-A
 
- Assume 
I'm a Python person, so my function is:
import boto3
def lambda_handler(event, context):
    # Assume Role
    sts_client = boto3.client('sts')
    response = sts_client.assume_role(
        RoleArn='arn:aws:iam::<Account-A>:role/stack-role-a', 
        RoleSessionName='bar')
    session = boto3.Session(
        aws_access_key_id=response['Credentials']['AccessKeyId'],
        aws_secret_access_key=response['Credentials']['SecretAccessKey'],
        aws_session_token=response['Credentials']['SessionToken']
    )
    # Update DynamoDB
    dynamodb_client = session.client('dynamodb')
    dynamodb_client.update_item(
        TableName='Inventory',
        Key={'Item': {'S': 'foo'}},
        UpdateExpression="ADD #count :increment",
        ExpressionAttributeNames = {
            '#count': 'count'
        },
        ExpressionAttributeValues = {
            ':increment': {'N': '1'},
        }
    ) 
I tested this by clicking Test on the Lambda function in Account-B. It successfully updated the DynamoDB table in Account-A.
I suspect the difference is with your trust policies, which appear to be a little bit different.
来源:https://stackoverflow.com/questions/59912169/how-to-access-aws-resources-created-in-other-account