如何从 us-east-1 帐户访问在 us-west-2 区域创建的 S3 存储桶？

Question

I have account A with us-east-1 region having IAM role rt-profileRole and my application setup. Account B created S3 bucket in us-west-1 and us-west-2.

I am trying to list object using aws cli with role rtprofile. both bucket have similar bucket policy as below resource having correct bucket arn of bucket to which policy attach.

Problem is I can list object from bucket created in us-west-1 using aws s3 ls from my local system. But I got error when I try same for bucket created in us-west-2 An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

I tired with multiple bucket and concluded that using account A role

1. I can access bucket of Account A created in us-east-1
2. I can access bucket of account B created in us-west-1
3. I can not access bucket of account B created in us-west-2.

Please help me to understand what wrong with west-2 region here.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AccountA:role/rt-profileRole"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-name/*",
                "arn:aws:s3:::bucket-name"
            ]
        }
    ]
}

Answer 1

Once you add the bucket policy to the bucket, you must also ensure the role has privileges in its IAM policy.

In addition if you're in an AWS organisation ensure there is no SCP on Account A that is prevent actions within a specific region.

Regarding the bucket policy you should scope this down to the permissions you want the bucket to use once you're confirmed it works (its currently every S3 action on the bucket including deletes).