跨账户实时复制DynamoDB表数据 [英] Copy DynamoDB table data cross account real time

问题描述

将数据从一个帐户中的 DDB 表复制到另一个帐户的最简单方法是什么(最简单意味着服务维护开销较少.如果可能，更喜欢无服务器方法)将数据从一个帐户中的 DDB 表复制到另一个帐户，最好以无服务器方式(因此没有计划的作业使用数据管道).

What is the easiest approach (easiest implies low number of service maintenance overhead. Would prefer server less approach if possible) to copy data from a DDB table in one account to another, preferably in server less manner (so no scheduled jobs using Data pipelines).

我正在探索使用 DynamoDB 流的可能性，但是这个旧的 answer 提到这是不可能的.但是，我找不到确认/反驳这一点的最新文档.还是这样吗?

I was exploring possibility of using DynamoDB streams, however this old answer mentions that is not possible. However, I could not find latest documentation confirming/disproving this. Is that still the case?

我正在考虑的另一个选项:更新 Firehose 转换 lambda，该 lambda 操作会操作然后将数据插入到 DynamoDB 表中，以将其发布到启用跨账户交付的 Kinesis 流，从而触发将根据需要进一步处理数据的 Lambda.

Another option I was considering: Update the Firehose transform lambda that manipulates and then inserts data into the DynamoDB table to publish this to a Kinesis stream with cross account delivery enabled triggering a Lambda that will further process data as required.

推荐答案

这应该是可能的

• 在源账户中配置 DynamoDB 表并启用 Stream
• 在同一个账户(源账户)中创建 Lambda 函数并将其与 DDB Stream 集成
• 创建跨账户角色，即目标账户中的DynamoDBCrossAccountRole，有权对目标DDB表进行必要的操作(此角色和目标DDB表在同一个账户中)
• 为您的 Lambda 函数的执行角色添加 sts:AssumeRole 权限以及 CloudWatch 的 logs 权限，以便它可以承担跨账户角色
• 从您的 lambda 函数中调用 sts:AssumeRole 并使用这些权限配置 DynamoDB 客户端，例如:

• configure DynamoDB table in the source account with Stream enabled
• create Lambda function in the same account (source account) and integrate it with DDB Stream
• create cross-account role, i.e DynamoDBCrossAccountRole in the destination account with permissions to do necessary operations on the destination DDB table (this role and destination DDB table are in the same account)
• add sts:AssumeRole permissions to your Lambda function's execution role in addition to logs permissions for CloudWatch so that it can assume the cross-account role
• call sts:AssumeRole from within your lambda function and configure DynamoDB client with these permissions, example:

client = boto3.client('sts')
sts_response = client.assume_role(RoleArn='arn:aws:iam::<999999999999>:role/DynamoDBCrossAccountRole',                              
                                      RoleSessionName='AssumePocRole', DurationSeconds=900)

dynamodb = boto3.resource(service_name='dynamodb', region_name=<region>,
                              aws_access_key_id = sts_response['Credentials']['AccessKeyId'],
                              aws_secret_access_key = sts_response['Credentials']['SecretAccessKey',
                              aws_session_token = sts_response['Credentials']['SessionToken']) 

• 现在您的 lambda 函数应该能够从源帐户对目标帐户中的 DynamoDB 进行操作

这篇关于跨账户实时复制DynamoDB表数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！