您的位置: 首页  >  技术问答  >  跨账户实时复制DynamoDB表数据

跨账户实时复制DynamoDB表数据

分类: 技术问答 2022-05-30 14:43:08
问题描述:

将数据从一个帐户中的 DDB 表复制到另一个帐户的最简单方法是什么(最简单意味着服务维护开销较少.如果可能,更喜欢无服务器方法)将数据从一个帐户中的 DDB 表复制到另一个帐户,最好以无服务器方式(因此没有计划的作业使用数据管道).

What is the easiest approach (easiest implies low number of service maintenance overhead. Would prefer server less approach if possible) to copy data from a DDB table in one account to another, preferably in server less manner (so no scheduled jobs using Data pipelines).

我正在探索使用 DynamoDB 流的可能性,但是这个旧的 answer 提到这是不可能的.但是,我找不到确认/反驳这一点的最新文档.还是这样吗?

I was exploring possibility of using DynamoDB streams, however this old answer mentions that is not possible. However, I could not find latest documentation confirming/disproving this. Is that still the case?

我正在考虑的另一个选项:更新 Firehose 转换 lambda,该 lambda 操作会操作然后将数据插入到 DynamoDB 表中,以将其发布到启用跨账户交付的 Kinesis 流,从而触发将根据需要进一步处理数据的 Lambda.

Another option I was considering: Update the Firehose transform lambda that manipulates and then inserts data into the DynamoDB table to publish this to a Kinesis stream with cross account delivery enabled triggering a Lambda that will further process data as required.

这应该是可能的

  • 在源账户中配置 DynamoDB 表并启用 Stream
  • 在同一个账户(源账户)中创建 Lambda 函数并将其与 DDB Stream 集成
  • 创建跨账户角色,即目标账户中的DynamoDBCrossAccountRole,有权对目标DDB表进行必要的操作(此角色和目标DDB表在同一个账户中)
  • 为您的 Lambda 函数的执行角色添加 sts:AssumeRole 权限以及 CloudWatch 的 logs 权限,以便它可以承担跨账户角色
  • 从您的 lambda 函数中调用 sts:AssumeRole 并使用这些权限配置 DynamoDB 客户端,例如:
  • configure DynamoDB table in the source account with Stream enabled
  • create Lambda function in the same account (source account) and integrate it with DDB Stream
  • create cross-account role, i.e DynamoDBCrossAccountRole in the destination account with permissions to do necessary operations on the destination DDB table (this role and destination DDB table are in the same account)
  • add sts:AssumeRole permissions to your Lambda function's execution role in addition to logs permissions for CloudWatch so that it can assume the cross-account role
  • call sts:AssumeRole from within your lambda function and configure DynamoDB client with these permissions, example:
client = boto3.client('sts')
sts_response = client.assume_role(RoleArn='arn:aws:iam::<999999999999>:role/DynamoDBCrossAccountRole',                              
                                      RoleSessionName='AssumePocRole', DurationSeconds=900)

dynamodb = boto3.resource(service_name='dynamodb', region_name=<region>,
                              aws_access_key_id = sts_response['Credentials']['AccessKeyId'],
                              aws_secret_access_key = sts_response['Credentials']['SecretAccessKey',
                              aws_session_token = sts_response['Credentials']['SessionToken'])

  • 现在您的 lambda 函数应该能够从源帐户对目标帐户中的 DynamoDB 进行操作

相关推荐