Skip to content

support cross-account role assumption in dynamodb-stream-consumer #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jordane merged 1 commit into from
Feb 19, 2026
Merged

support cross-account role assumption in dynamodb-stream-consumer #39

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions charts/lfx-v1-sync-helper/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,10 @@ dynamodbStreamConsumer:
# AWS_REGION is the AWS region for DynamoDB
AWS_REGION:
value: us-west-2
# AWS_ASSUME_ROLE_ARN is an optional IAM role ARN to assume via STS for cross-account
# DynamoDB access. Example: "arn:aws:iam::123456789012:role/dynamodb-streams-reader"
AWS_ASSUME_ROLE_ARN:
value: ""
# DYNAMODB_TABLES is a comma-separated list of DynamoDB table names to consume.
# Defaults to the full set of tables used by the tap-dynamodb Meltano extractor.
DYNAMODB_TABLES:
Expand Down
6 changes: 4 additions & 2 deletions cmd/dynamodb-stream-consumer/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ All configuration is via environment variables.
|---|---|---|
| `DYNAMODB_TABLES` | *(required)* | Comma-separated list of DynamoDB table names |
| `AWS_REGION` | `us-west-2` | AWS region |
| `AWS_ASSUME_ROLE_ARN` | *(unset)* | IAM role ARN to assume via STS for cross-account DynamoDB access |
| `NATS_URL` | `nats://localhost:4222` | NATS server URL |
| `NATS_STREAM_NAME` | `dynamodb_streams` | JetStream stream name |
| `NATS_SUBJECT_PREFIX` | `dynamodb_streams` | Subject prefix |
Expand All @@ -133,8 +134,9 @@ All configuration is via environment variables.
| `BIND` | `*` | Interface to bind the health check server on |
| `DEBUG` | `false` | Enable debug logging |

AWS credentials are resolved via the standard AWS credential chain (environment
variables, `~/.aws/credentials`, EC2/ECS instance profile, etc.).
AWS credentials are resolved via the standard AWS credential chain. When
`AWS_ASSUME_ROLE_ARN` is set, those credentials are used to assume the specified
role via STS, enabling cross-account DynamoDB access.

## Health checks

Expand Down
4 changes: 3 additions & 1 deletion cmd/dynamodb-stream-consumer/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ type Config struct {
CheckpointBucket string

// AWS configuration
AWSRegion string
AWSRegion string
AssumeRoleARN string // Optional: IAM role ARN to assume via STS for cross-account access

// DynamoDB tables to consume (comma-separated)
Tables []string
Expand Down Expand Up @@ -76,6 +77,7 @@ func LoadConfig() (*Config, error) {
NATSSubjectPrefix: os.Getenv("NATS_SUBJECT_PREFIX"),
CheckpointBucket: os.Getenv("CHECKPOINT_BUCKET"),
AWSRegion: os.Getenv("AWS_REGION"),
AssumeRoleARN: os.Getenv("AWS_ASSUME_ROLE_ARN"),
Tables: tables,
StartFromLatest: parseBooleanEnv("START_FROM_LATEST"),
PollInterval: time.Duration(pollIntervalMS) * time.Millisecond,
Expand Down
9 changes: 9 additions & 0 deletions cmd/dynamodb-stream-consumer/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,10 @@ import (
"time"

awsconfig "github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
"github.com/aws/aws-sdk-go-v2/service/dynamodbstreams"
"github.com/aws/aws-sdk-go-v2/service/sts"
nats "github.com/nats-io/nats.go"
"github.com/nats-io/nats.go/jetstream"
)
Expand Down Expand Up @@ -183,6 +185,13 @@ func main() {
os.Exit(1)
}

// If a role ARN is configured, assume it via STS for cross-account DynamoDB access.
if cfg.AssumeRoleARN != "" {
logger.With("role_arn", cfg.AssumeRoleARN).Info("assuming IAM role for DynamoDB access")
stsClient := sts.NewFromConfig(awsCfg)
awsCfg.Credentials = stscreds.NewAssumeRoleProvider(stsClient, cfg.AssumeRoleARN)
}

dynClient := dynamodb.NewFromConfig(awsCfg)
streamsClient := dynamodbstreams.NewFromConfig(awsCfg)

Expand Down
12 changes: 6 additions & 6 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ go 1.25.6
require (
github.com/akamensky/base58 v0.0.0-20210829145138-ce8bf8802e8f
github.com/auth0/go-auth0 v1.32.1
github.com/aws/aws-sdk-go-v2 v1.41.1
github.com/aws/aws-sdk-go-v2/config v1.32.9
github.com/aws/aws-sdk-go-v2/credentials v1.19.9
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.55.0
github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.32.10
github.com/aws/aws-sdk-go-v2/service/sts v1.41.6
github.com/golang-jwt/jwt/v5 v5.3.0
github.com/google/uuid v1.6.0
github.com/linuxfoundation/lfx-v2-committee-service v0.2.19
Expand All @@ -22,22 +28,16 @@ require (

require (
github.com/PuerkitoBio/rehttp v1.4.0 // indirect
github.com/aws/aws-sdk-go-v2 v1.41.1 // indirect
github.com/aws/aws-sdk-go-v2/config v1.32.9 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.19.9 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.55.0 // indirect
github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.32.10 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.17 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 // indirect
github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.30.10 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.14 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect
github.com/aws/smithy-go v1.24.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
Expand Down