skip to Main Content

I am trying to provide someone with access to multiple s3 buckets which are in a different aws account from where they typically access / assume their role from.

I have created a policy ‘ExamplePolicy’ in the aws account that the user has access to, and I have created a role ‘ExampleRole’ in the target account – the one where the s3 buckets reside.

However I am struggling now to see how I should proceed… because when I try and attach this policy to the role, I obviously cant see the policy when I search in IAM (as it is in a different aws account). Im really not sure how to proceed as I am not too versed in this… is there an easier way to provide access?

And would anyone know what the JSON trust relationship should look like between the two?

Thanks for any help!

2

Answers


  1. To provide access to S3 buckets in a different AWS account, you can use cross-account access. You can grant another AWS account permission to access your resources such as buckets and objects. The following steps can be taken to grant cross-account access to S3 buckets:

    1. Create an S3 bucket in Account A.
    2. Create an IAM role or user in Account B.
    3. Give the IAM role in Account B permission to download (GET Object) and upload (PUT Object) objects to and from a specific bucket.
    4. Create a bucket policy in Account A that grants the IAM role in Account B permission to access the bucket.
    5. In the bucket policy, specify the principal element as the IAM role in Account B.
    6. In the trust policy of the IAM role in Account B, specify the account ID of Account A as the trusted entity.

    Here is an example of a trust policy that allows Account A to assume the role in Account B:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::AccountA-ID:root"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    

    You can replace AccountA-ID with the account ID of Account A. This policy allows the root user of Account A to assume the role in Account B. You can also specify a specific IAM user or role in Account A instead of the root user.

    I hope this helps!

    Login or Signup to reply.
  2. When providing access to an Amazon S3 bucket in a different account, you basically have two options:

    Option 1: Grant access via Bucket policies

    A Bucket Policy can be added to a bucket that specifically grants access to an IAM User in a different AWS Account. For example:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Principal": {
                    "AWS": "arn:aws:iam::222222222222:user/Brian"
                },
                "Effect": "Allow",
                "Action": "s3:ListBucket",
                "Resource": "arn:aws:s3:::BUCKET-NAME"
            },
            {
                "Principal": {
                    "AWS": "arn:aws:iam::222222222222:user/Brian"
                },
                "Action": "s3:GetObject",
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::BUCKET-NAME/*",
            }
        ]
    }
    

    Note that permission is given to list the contents of the bucket (without /*) and also to get any objects in the bucket (using /*).

    In addition to the policy, the user needs to be granted permission to access the bucket in the other account. This can be done by adding similar permissions to their IAM User. In this case, they do not need a Principal in the policy.

    If the user does not have default permission to access any bucket, add this to their IAM User:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Principal": {
                    "AWS": "arn:aws:iam::222222222222:user/Brian"
                },
                "Effect": "Allow",
                "Action": "s3:ListBucket",
                "Resource": "arn:aws:s3:::BUCKET-NAME"
            },
            {
                "Principal": {
                    "AWS": "arn:aws:iam::222222222222:user/Brian"
                },
                "Action": "s3:GetObject",
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::BUCKET-NAME/*",
            }
        ]
    }
    

    Option 2: Assume an IAM Role

    Let’s say the IAM User (User-A) is defined in Account-A while the bucket (Bucket-B) is in Account-B.

    One way to obtain access to Bucket-B would be to:

    • Create an IAM Role in Account-B (Role-B) that has permission to access Bucket-B
    • Add a Trust Relationship on Role-B to allow it to be ‘assumed’ by User-A
    • Add an IAM policy to User-A to grant permission to call sts:AssumeRole on Role-B
    • User-A then calls AssumeRole() on Role-B and receives a set of temporary credentials
    • Those credentials are then used to access Bucket-B

    This option is more complex than Option 1 and is normally used for programmatic access between AWS Accounts.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search