Cross Account
  • 26 Jan 2022
  • 2 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Cross Account

  • Dark
    Light
  • PDF

Article summary

Cross Account Apps allow you to extend your EchoStream Tenant into an AWS Account. They accomplish this by providing AWS cross-account access to the Edges (and their KmsKeys) that are attached to the External Nodes assigned to the Cross Account App.

The primary use-case for Cross Account Apps is to allow you to perform event-driven processing in an AWS Account through implementing your External Nodes as AWS Lambda functions with the Edge SQS queues as triggers to execute your Nodes. However, any use case where you wish to directly connect to the Edges and that connection requires IAM permissions in your AWS Account is a use case for Cross Account Apps.

When creating a Cross Account App you must provide the AWS Account ID of the AWS Account.

Attributes

config

You have the option of creating a configuration (aka - config) for your App.

The config is a JSON object that can contain anything that you desire. All data stored within this object is encrypted prior to being stored in EchoStream in order to protect sensitive items such as database or API credentials.

If you choose to create a config for your App, it will be passed to all Nodes within App.

Keys in your App config override those in the Tenant config can be overridden by configs that exist in your Nodes.

Example:

{
    "database": {
        "credentials": {
            "username": "foobar",
            "password": "password1"
        },
        "address": "127.0.0.1",
        "port": 3576
}

credentials

Credentials provide your App and the Nodes within it the ability to access the EchoStream API (necessary for self-configuration). See App User for how to use these credentials in general and External Nodes for how to use them in a Node.

iamPolicy

You must use IAM to grant the compute resources in your AWS Account access to the EchoStream Cloud resources assigned to your Nodes. You can obtain an IAM Policy document that makes this easier from this attribute. To use this policy document you would:

  • Create an IAM Managed Policy with this as the content, then attach that policy to the compute resource's IAM Role.
  • Create an Inline Policy in the compute resource's IAM Role with this as the content.

tableAccess

If you want the Nodes that are in your Cross Account App to be able to access the Tenant's table this must be set to true. The default is false.

If the Cross Account App is hosted in your AWS Account you probably want to allow table access. If the App is hosted in a foriegn AWS Account you may want to allow table access if you trust the AWS Account owner.

Methods

GetAwsCredentials

While access to the Edges (and their KmsKeys) are provided to your App via cross-account IAM permissions, there are certain resources like your Tenant's table that are not provided via cross-account IAM permissions. To access these ancillary resources, you must access AWS directly using the credentials provided by this method.


What's Next