Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Unable to view bucket from Account A in Account B using bucket policy for IAM user

I have a bucket in my Primary Account. I have added a bucket policy for this account to give access to an IAM user created by Secondary Account as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<secondary-account>:user/maddy"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::input-read",
                "arn:aws:s3:::input-read/*"
            ]
        }
    ]
}

Also, I logged in as a root user in the Secondary Account and added an inline policy for my IAM user as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToS3Bucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::input-read",
                "arn:aws:s3:::input-read/*"
            ]
        }
    ]
}

But when I log in to my Secondary Account’s IAM User via Console, I can’t see this bucket. I followed multiple links like this to check my approach and it looks correct to me.

Where am I going wrong?

Tags:

2

Answers


  1. 0

    The link you provided is for cross-account access to objects, what you are describing is being able list buckets cross-account. You should be able to accomplish this by adding s3:ListBucket to both your S3 policy and your IAM access policy.

    Here is the link to the AWS S3 Actions, resources, and condition keys, its possible you may need another list permission.

    Login or Signup to reply.
  2. 0

    Unfortunately, you aren’t going to see account B’s S3 bucket listed in the S3 console for an IAM user in account A. The S3 console only lists buckets that exist in the same account that the logged-in IAM principal is a member of. The S3 console is not designed to list buckets that you might have access to in arbitrary AWS accounts.

    That doesn’t mean you can’t use the S3 console to list the objects in account B’s bucket, however, as long as you have s3:ListBucket permission. But to see the list of objects you will have to manually force your browser to fetch the correct URL, for example:

    https://s3.console.aws.amazon.com/s3/buckets/input-read

    It’s often better to simply create an IAM role in account B and allow the IAM user in account A to assume that cross-account role. You can then make cross-account access in the AWS console simpler using the Switching to a role (console) feature. Here is a video showing this in action.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search