您的位置: 首页  >  技术问答  >  实时复制DynamoDB表数据跨帐户

实时复制DynamoDB表数据跨帐户

分类: 技术问答 2022-05-30 14:41:38
问题描述:

最简单的方法是什么(最简单的方法意味着较低的服务维护开销。如果可能,最好使用服务器较少的方法)将数据从一个帐户的DDB表复制到另一个帐户,最好以服务器较少的方式复制(因此不使用任何计划的作业)数据管道)。

What is the easiest approach (easiest implies low number of service maintenance overhead. Would prefer server less approach if possible) to copy data from a DDB table in one account to another, preferably in server less manner (so no scheduled jobs using Data pipelines).

我正在探索使用DynamoDB流的可能性,但是这个旧的 answer 提到这是不可能的。但是,我找不到最新的文档来确认/证明这一点。还是这样吗?

I was exploring possibility of using DynamoDB streams, however this old answer mentions that is not possible. However, I could not find latest documentation confirming/disproving this. Is that still the case?

我正在考虑的另一种选择:更新操作的Firehose转换lambda,然后将数据插入DynamoDB表中,以将其发布到Kinesis流中,并启用跨帐户传递,从而触发可以根据需要进一步处理数据的Lambda。

Another option I was considering: Update the Firehose transform lambda that manipulates and then inserts data into the DynamoDB table to publish this to a Kinesis stream with cross account delivery enabled triggering a Lambda that will further process data as required.

这应该是可能的


  • 在启用了Stream的源帐户中配置DynamoDB表

  • 在同一帐户(源帐户)中创建Lambda函数,并将其与DDB Stream集成

  • 创建跨帐户角色,即目标帐户中的 DynamoDBCrossAccountRole 有权在目标DDB表上进行必要的操作(此角色和目标DDB表在同一帐户中)

  • 除了 sts:AssumeRole 权限c> log 的CloudWatch权限,以便它可以假定跨A ccount角色

  • 从您的lambda函数中调用 sts:AssumeRole 并使用以下权限配置DynamoDB客户端,例如:

  • configure DynamoDB table in the source account with Stream enabled
  • create Lambda function in the same account (source account) and integrate it with DDB Stream
  • create cross-account role, i.e DynamoDBCrossAccountRole in the destination account with permissions to do necessary operations on the destination DDB table (this role and destination DDB table are in the same account)
  • add sts:AssumeRole permissions to your Lambda function's execution role in addition to logs permissions for CloudWatch so that it can assume the cross-account role
  • call sts:AssumeRole from within your lambda function and configure DynamoDB client with these permissions, example:
client = boto3.client('sts')
sts_response = client.assume_role(RoleArn='arn:aws:iam::<999999999999>:role/DynamoDBCrossAccountRole',                              
                                      RoleSessionName='AssumePocRole', DurationSeconds=900)

dynamodb = boto3.resource(service_name='dynamodb', region_name=<region>,
                              aws_access_key_id = sts_response['Credentials']['AccessKeyId'],
                              aws_secret_access_key = sts_response['Credentials']['SecretAccessKey',
                              aws_session_token = sts_response['Credentials']['SessionToken'])




  • 现在您的lambda功能应该能够在目标帐户f的DynamoDB上运行rom源帐户中

相关推荐