I am trying to provide someone with access to multiple s3 buckets which are in a different aws account from where they typically access / assume their role from.
I have created a policy ‘ExamplePolicy’ in the aws account that the user has access to, and I have created a role ‘ExampleRole’ in the target account – the one where the s3 buckets reside.
However I am struggling now to see how I should proceed… because when I try and attach this policy to the role, I obviously cant see the policy when I search in IAM (as it is in a different aws account). Im really not sure how to proceed as I am not too versed in this… is there an easier way to provide access?
And would anyone know what the JSON trust relationship should look like between the two?
Thanks for any help!
2
Answers
To provide access to S3 buckets in a different AWS account, you can use cross-account access. You can grant another AWS account permission to access your resources such as buckets and objects. The following steps can be taken to grant cross-account access to S3 buckets:
Here is an example of a trust policy that allows Account A to assume the role in Account B:
You can replace
AccountA-ID
with the account ID of Account A. This policy allows the root user of Account A to assume the role in Account B. You can also specify a specific IAM user or role in Account A instead of the root user.I hope this helps!
When providing access to an Amazon S3 bucket in a different account, you basically have two options:
Option 1: Grant access via Bucket policies
A Bucket Policy can be added to a bucket that specifically grants access to an IAM User in a different AWS Account. For example:
Note that permission is given to list the contents of the bucket (without
/*
) and also to get any objects in the bucket (using/*
).In addition to the policy, the user needs to be granted permission to access the bucket in the other account. This can be done by adding similar permissions to their IAM User. In this case, they do not need a
Principal
in the policy.If the user does not have default permission to access any bucket, add this to their IAM User:
Option 2: Assume an IAM Role
Let’s say the IAM User (
User-A
) is defined inAccount-A
while the bucket (Bucket-B
) is inAccount-B
.One way to obtain access to
Bucket-B
would be to:Role-B
) that has permission to accessBucket-B
Trust Relationship
onRole-B
to allow it to be ‘assumed’ byUser-A
User-A
to grant permission to callsts:AssumeRole
onRole-B
User-A
then callsAssumeRole()
onRole-B
and receives a set of temporary credentialsBucket-B
This option is more complex than Option 1 and is normally used for programmatic access between AWS Accounts.