Skip to content

Comments

support cross-account role assumption in dynamodb-stream-consumer#39

Merged
jordane merged 1 commit intomainfrom
jme/LFXV2-1094
Feb 19, 2026
Merged

support cross-account role assumption in dynamodb-stream-consumer#39
jordane merged 1 commit intomainfrom
jme/LFXV2-1094

Conversation

@jordane
Copy link
Member

@jordane jordane commented Feb 19, 2026

Add AWS_ASSUME_ROLE_ARN env var. When set, the service assumes the specified role via STS after loading base credentials, enabling cross-account DynamoDB Streams access in production.

Issue: LFXV2-1094

@jordane @claude
support cross-account role assumption in dynamodb-stream-consumer
ff2a1d4 
Add AWS_ASSUME_ROLE_ARN env var. When set, the service assumes the
specified role via STS after loading base credentials, enabling
cross-account DynamoDB Streams access in production.

Issue: LFXV2-1094

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Jordan Evans <jevans@linuxfoundation.org>
@jordane jordane requested a review from emsearcy as a code owner February 19, 2026 18:35
Copilot AI review requested due to automatic review settings February 19, 2026 18:35
@jordane jordane requested a review from a team as a code owner February 19, 2026 18:35
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for cross-account IAM role assumption in the DynamoDB stream consumer service. When the AWS_ASSUME_ROLE_ARN environment variable is set, the service uses AWS STS to assume the specified role after loading base credentials, enabling secure cross-account DynamoDB Streams access.

Changes:

  • Added AWS STS role assumption capability using AWS SDK v2's stscreds provider
  • Introduced new AWS_ASSUME_ROLE_ARN optional configuration parameter
  • Updated documentation and Helm charts to support the new feature

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
go.mod Promoted AWS SDK v2 packages (sts, credentials/stscreds) from indirect to direct dependencies
cmd/dynamodb-stream-consumer/main.go Added STS role assumption logic with lazy credential evaluation
cmd/dynamodb-stream-consumer/config.go Added AssumeRoleARN field and environment variable loading
cmd/dynamodb-stream-consumer/README.md Documented the new AWS_ASSUME_ROLE_ARN configuration option
charts/lfx-v1-sync-helper/values.yaml Added AWS_ASSUME_ROLE_ARN environment variable configuration with example

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jordane jordane merged commit 0f5814e into main Feb 19, 2026
8 of 9 checks passed
@jordane jordane deleted the jme/LFXV2-1094 branch February 19, 2026 18:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@andrest50 andrest50 andrest50 approved these changes

@emsearcy emsearcy Awaiting requested review from emsearcy emsearcy is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jordane @andrest50