More changes to service endpoints for DynamoDB

[davidh44]

In AWS SDK for Java v2.31.0, we released changes to the DynamoDB client that introduces support for resource-based policies with account-based endpoints. This update enhances cross-account access capabilities by ensuring that requests are routed to the appropriate account’s endpoint when a resource ARN is provided in the request. For more information on account-based endpoints, please refer to the official SDK documentation.

Beginning with the 2.28.4 release, for DynamoDB requests, the SDK would attempt to retrieve the account ID from the credential provider to construct an account-based endpoint in the form of (account-id).ddb.(region).amazonaws.com. If the account ID was not present in the credential provider, the request would be made to the regional endpoint, dynamodb.(region).amazonaws.com.

In SDK releases from this version on, the SDK will first attempt to retrieve the account ID from the resource ARN in the request. If a resource ARN was not included in the request, the SDK will then look for the account ID in the credential provider, before falling back to the regional endpoint.

You may instead disable account-based endpoints for DynamoDB by setting the config flag accountIdEndpointMode to disabled, as a system property or environment variable. We recommend against this because the DynamoDB service uses account-based endpoints to ensure performance and scalability.