Cross account S3 access from the same AWS role
Question
I want an AWS role to have access to two S3 buckets, one in its own account (Account A), and now in another account (Account B). The role currently has access to its own Account S3 bucket.
To have access to the other account S3 bucket, the doc says to update the bucket policy of Account B S3 bucket. This is the current bucket policy
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3bucketB-574e6ce",
"arn:aws:s3:::s3bucketB-574e6ce/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
I believe I need to add a new statement to the existing. This is the updated policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3bucketB-574e6ce",
"arn:aws:s3:::s3bucketB-574e6ce/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111:role/AccountA-role"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::s3bucketB-574e6ce",
"arn:aws:s3:::s3bucketB-574e6ce/*"
]
}
]
}
The last time I updated an S3 bucket policy, I messed up the bucket and had a tough time reverting it, since I was not able to access it myself. It will be great if someone from the community can review the above-updated policy and let me know if I am on the right track.
1 answers
solution1
1 2022-09-13 13:28:18
As doc mentioned and John Rotenstein pointed out from comment, if you want Cross-Account access to S3 bucket, You must set Allow Policy to both IAM Role and S3 Bucket .
When IAM Role and Resource with its Policy (ex. S3, SNS, ..) are in the same account, It's okay to configure Allow Policy on any side(IAM Role or S3) once. But in cross-account access, you have to configure the Policy to both IAM Role and S3 Bucket .
(You can refer to this Official Document for a more detailed explanation of Identity-based Policy and Resource-based Policy. And this Official Document to see how Policy is evaluated in a cross-account situation.)
Now you have configured the bucket policy only; you also have to configure permission for IAM Role(in Account A). IAM Role also should have an IAM policy like the below:
{
"Sid": "AllowAccessToS3Bucket",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::s3bucketB-574e6ce",
"arn:aws:s3:::s3bucketB-574e6ce/*"
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.