I have an AWS account A from which I want to grant access to another AWS account B, I have created a role in my account A giving the identity access to my bucket in account A, here’s the role identity policy created in account A below;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::connect-to-other-acct/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::connect-to-other-acct"
]
}
]
}
I also created trust policy (automatically created by AWS) assigned to the role, allowing my second account B to assume the role, here’s it below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account B ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
I know it’s wrong practice to use root AWS account but I wanted to quickly try out this process because I don’t want to create a role in the second account, so I tried to access the bucket using the bucket linked as accessible from my first account A, I logged in my second account B on a new Window and tried accessing the bucket from its link, I got a response that my second account does not have the permission to access the bucket i.e. list the bucket or objects even when I tried using s3:* as the action on the role.
I initially asked some of the LLM chatbot if I can do this without assigning a bucket policy to allow cross account access, but I got a response that I must use a bucket policy, but I later saw an AWS document that says I don’t need a bucket policy to do this, https://repost.aws/knowledge-center/cross-account-access-s3
Currently it is still not working, can I do this and if I can, what is wrong with my policy and how can I modify it so it works?
I tried to list the objects from my second account B but got a response that my second account does not have permission to list the bucket, I have granted account B permission to assume a role permitted to access the bucket from my account A.
3
It appears your situation is:
- A bucket
Bucket-AinAccount-A - An IAM Role
Role-AinAccount-Athat trustsAccount-B - You wish to access the bucket from
Account-B
To do so, you should do the following:
- Call
AssumeRole()onRole-Ausing credentials fromAccount-B. These credentials will either need to be root credentials, or IAM credentials that have been given permission to callAssumeRole()onRole-A. - The call to
AssumeRole()will return a new set of temporary credentials - Use those temporary credentials to call S3 APIs that operate on
Bucket-A