Question 137056 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – aws permission iam group in another account access

I have a system with 2 AWS Accounts, and I want an IAM group on account 2 to access a bucket on account 1.

Account 1 has a large car database and an S3 bucket with files for each car.

Account 2 does the communication (SNS/SQS) with a lot of physical machines, which each has their own IAM user, but are all a member of the robots-group.

I want the machines with IAM users in Account 2 to be able to access files in an S3 bucket on Account 1.

But apparently, a group cannot be used as a principal. What other options do I have here, if I want a simple setup where I don’t need to update the bucket policy in Account 1 every time an IAM user is added in the robots-group in Account 2?

This is the policy I’m trying to apply to my bucket:

{
  "Id": "Policy1683211206707",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1683211201070",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::company-vehicle-configurations-test/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::1234567890:group/robots-group"
        ]
      }
    }
  ]
}

And the result:

    "errorType": "MalformedPolicy",
    "errorMessage": "Invalid principal in policy",
Tags:

2

Answers


  1. 0

    In the bucket policy, you can allow the Account2 account principal arn:aws:iam::1234567890:root. This allows any user, role, or group in Account2 to interact with the bucket, only if their IAM policies allow that access.

    This essentially delegates further access control to the IAM policies attached to Account2 users, groups and roles. Which is what you essentially want, since you don’t want Account1 to own the group’s permissions, nor to have to enumerate Account1’s users allowed to access the bucket.

    Login or Signup to reply.
  2. 0

    You’re correct, groups aren’t principals and you can’t assign permissions to them. However, you can assign permissions to tags.

    1. Attach a policy to all of the principals in Account2 that need to access the S3 Bucket that permit them that access:

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::company-vehicle-configurations-test/*"     }
  ]
}

      This isn’t sufficient on its own because the Bucket is in a different account and one account’s admin can’t arbitrarily grant access to resources in another account.

    2. Tag all of the principals in Account2 that you want to be able to access the S3 Bucket. I’m going to use "s3access: true" for my example, but you can use whatever you want.

    3. Put a Bucket Policy on your S3 Bucket that allows access from all principals in Account2 that have the tag "s3access: true":

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::company-vehicle-configurations-test/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::1234567890:root"
        ]
      },
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/s3access": "true"
        }
      }
    }
  ]
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search