Merge pull request #39 from linuxfoundation/jme/LFXV2-1094

support cross-account role assumption in dynamodb-stream-consumer

Author: jordane

charts/lfx-v1-sync-helper/values.yaml

@@ -239,6 +239,10 @@ dynamodbStreamConsumer:
     # AWS_REGION is the AWS region for DynamoDB
     AWS_REGION:
       value: us-west-2
+    # AWS_ASSUME_ROLE_ARN is an optional IAM role ARN to assume via STS for cross-account
+    # DynamoDB access. Example: "arn:aws:iam::123456789012:role/dynamodb-streams-reader"
+    AWS_ASSUME_ROLE_ARN:
+      value: ""
     # DYNAMODB_TABLES is a comma-separated list of DynamoDB table names to consume.
     # Defaults to the full set of tables used by the tap-dynamodb Meltano extractor.
     DYNAMODB_TABLES:

cmd/dynamodb-stream-consumer/README.md

@@ -122,6 +122,7 @@ All configuration is via environment variables.
 |---|---|---|
 | `DYNAMODB_TABLES` | *(required)* | Comma-separated list of DynamoDB table names |
 | `AWS_REGION` | `us-west-2` | AWS region |
+| `AWS_ASSUME_ROLE_ARN` | *(unset)* | IAM role ARN to assume via STS for cross-account DynamoDB access |
 | `NATS_URL` | `nats://localhost:4222` | NATS server URL |
 | `NATS_STREAM_NAME` | `dynamodb_streams` | JetStream stream name |
 | `NATS_SUBJECT_PREFIX` | `dynamodb_streams` | Subject prefix |
@@ -133,8 +134,9 @@ All configuration is via environment variables.
 | `BIND` | `*` | Interface to bind the health check server on |
 | `DEBUG` | `false` | Enable debug logging |
 
-AWS credentials are resolved via the standard AWS credential chain (environment
-variables, `~/.aws/credentials`, EC2/ECS instance profile, etc.).
+AWS credentials are resolved via the standard AWS credential chain. When
+`AWS_ASSUME_ROLE_ARN` is set, those credentials are used to assume the specified
+role via STS, enabling cross-account DynamoDB access.
 
 ## Health checks
 

cmd/dynamodb-stream-consumer/config.go

@@ -26,7 +26,8 @@ type Config struct {
 	CheckpointBucket string
 
 	// AWS configuration
-	AWSRegion string
+	AWSRegion     string
+	AssumeRoleARN string // Optional: IAM role ARN to assume via STS for cross-account access
 
 	// DynamoDB tables to consume (comma-separated)
 	Tables []string
@@ -76,6 +77,7 @@ func LoadConfig() (*Config, error) {
 		NATSSubjectPrefix:    os.Getenv("NATS_SUBJECT_PREFIX"),
 		CheckpointBucket:     os.Getenv("CHECKPOINT_BUCKET"),
 		AWSRegion:            os.Getenv("AWS_REGION"),
+		AssumeRoleARN:        os.Getenv("AWS_ASSUME_ROLE_ARN"),
 		Tables:               tables,
 		StartFromLatest:      parseBooleanEnv("START_FROM_LATEST"),
 		PollInterval:         time.Duration(pollIntervalMS) * time.Millisecond,

cmd/dynamodb-stream-consumer/main.go

@@ -41,8 +41,10 @@ import (
 	"time"
 
 	awsconfig "github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/service/dynamodb"
 	"github.com/aws/aws-sdk-go-v2/service/dynamodbstreams"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
 	nats "github.com/nats-io/nats.go"
 	"github.com/nats-io/nats.go/jetstream"
 )
@@ -183,6 +185,13 @@ func main() {
 		os.Exit(1)
 	}
 
+	// If a role ARN is configured, assume it via STS for cross-account DynamoDB access.
+	if cfg.AssumeRoleARN != "" {
+		logger.With("role_arn", cfg.AssumeRoleARN).Info("assuming IAM role for DynamoDB access")
+		stsClient := sts.NewFromConfig(awsCfg)
+		awsCfg.Credentials = stscreds.NewAssumeRoleProvider(stsClient, cfg.AssumeRoleARN)
+	}
+
 	dynClient := dynamodb.NewFromConfig(awsCfg)
 	streamsClient := dynamodbstreams.NewFromConfig(awsCfg)
 

go.mod

@@ -7,6 +7,12 @@ go 1.25.6
 require (
 	github.com/akamensky/base58 v0.0.0-20210829145138-ce8bf8802e8f
 	github.com/auth0/go-auth0 v1.32.1
+	github.com/aws/aws-sdk-go-v2 v1.41.1
+	github.com/aws/aws-sdk-go-v2/config v1.32.9
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.9
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.55.0
+	github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.32.10
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6
 	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/uuid v1.6.0
 	github.com/linuxfoundation/lfx-v2-committee-service v0.2.19
@@ -22,22 +28,16 @@ require (
 
 require (
 	github.com/PuerkitoBio/rehttp v1.4.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.41.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.32.9 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.9 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.55.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.32.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.30.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.14 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect
 	github.com/aws/smithy-go v1.24.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect