Amazon DynamoDB V2 Connector > Introduction to Amazon DynamoDB V2 Connector > Temporary security credentials using AssumeRole
  

Temporary security credentials using AssumeRole

You can use the temporary security credentials using AssumeRole to access the Amazon DynamoDB resources from the same or different AWS accounts.
Ensure that you have the sts:AssumeRole permission and a trust relationship established within the AWS accounts to use the temporary security credentials. The trust relationship is defined in the trust policy of the IAM role when you create the role. The IAM role adds the IAM user as a trusted entity and allows IAM users to use the temporary security credentials and access AWS accounts. For more information about how to establish the trust relationship, see the AWS documentation.
When the trusted IAM user requests for the temporary security credentials, the AWS Security Token Service dynamically generates the temporary security credentials that are valid for a specified period and provides the credentials to the trusted IAM users. The temporary security credentials consist of an access key, secret key, and secret token.
To use the dynamically generated temporary security credentials, provide the value of the IAM Role ARN connection property when you create an Amazon DynamoDB V2 connection. The IAM Role ARN uniquely identifies the Amazon DynamoDB resources.

Temporary security credentials policy

To use the temporary security credentials to access Amazon DynamoDB resources, both the IAM user and IAM role require policies.
The following section lists the policies required for the IAM user and IAM role:
IAM user
An IAM user must have the sts:AssumeRole policy to use the temporary security credentials in the same or different AWS account.
The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:
{
"Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":"sts:AssumeRole", "Resource":"arn:aws:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>" }
}
IAM role
An IAM role must have a sts:AssumeRole policy and a trust policy attached with the IAM role to allow the IAM user to access Amazon DynamoDB tables using the temporary security credentials. The policy specifies the Amazon DynamoDB tables that the IAM user can access and the actions that the IAM user can perform. The trust policy specifies the IAM user from the AWS account that can access the Amazon DynamoDB tables.
The following policy is a sample trust policy:
{
"Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::AWS-account-ID:root" },
"Action":"sts:AssumeRole" }
]
}
}
Here, in the Principal attribute, you can also provide the ARN of the IAM user who can use the dynamically generated temporary security credentials and to restrict further access. For example,
"Principal" : { "AWS" : "arn:aws:iam:: AWS-account-ID :user/ user-name " }

External ID

You can optionally specify the external ID in the AssumeRole request to the AWS Security Token Service for a more secure access to the Amazon DynamoDB tables. The external ID must be a string.
The following sample shows an external Id condition in the trust policy of the assumed IAM role:
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_Account_ID : user/user_name"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "dummy_external_id"
}
}
}
]