stackoom
  简体   繁体   中英

Cross account S3 access with CannedACL

 原文  2022-04-21 21:28:49       amazon-web-services/ amazon-s3/ amazon-iam

Question

We have a usecase where we put objects in an S3 bucket which is in different account than ours. We do that using IAM user. This is working fine.

We've now replaced IAM user based access with IAM role based access. Hence instead of IAM user I have created an IAM role and I have put identical permissions (same as IAM user) for IAM role at all places(on IAM role, on S3 bucket).

But it's giving 403 error when I try to put an object in that bucket. What could be the reason (Shall I whitelist the sts arn on bucket? Do we need to change bucket ACLs in anyway?)

The S3 bucket has following policy attached

IAM role in account A is: arn:aws:iam::AAAAAA:role/my-role

Bucket in account B is: arn:aws:s3:::bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Development Write Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AAAAAA:role/my-role"
                ]
            },
            "Action": "s3:Put*",
            "Resource": [
                "arn:aws:s3:::bucket/*",
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "Allow Development Read Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AAAAAA:role/my-role"
                ]
            },
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket/*",
                "arn:aws:s3:::bucket"
            ]
        }
    ]
}

I'm accessing it with the following piece of code:

s3Client.putObject(new PutObjectRequest(bucketName, key, file)
                            .withCannedAcl(CannedAccessControlList.BucketOwnerFullControl));

What could I be missing here?

1 answers

solution1
 0  2022-04-27 12:11:15

This is fixed now. There was server side encryption enabled for that S3 bucket and my IAM role didn't have permission to KMS key used for encryption. Once this role given permission to KMS key it worked.

I didn't have to use that KMS key while making a putObject request, not sure why it required permission to KMS key then.

Also I could list the buckets (before the KMS key permission given) but couldn't put object (strange!)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cross-account-access Lambda S3 with access key S3 Upload Invoke Lambda Fails - Cross Account Access s3 cross account access with default kms key Access denied CloudFormation cross account s3 copy AWS S3 cross account policy S3 Website Cross Account Permissions Not Working Generic S3 bucket policy for cross-account access for muliple acounts cross account access for decrypt object with default aws/S3 KMS key Cross account IAM roles for Kubernetes service account - s3 bucket AWS Datasync S3 -> S3 cross account, confused about destination role/account
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM