CODEWITHSUNDEEP
djangoamazon-web-servicesamazon-s3
Sam Hammamy
Sam Hammamy

Reputation: 11017

One IAM Role across multiple AWS accounts

For security reasons, we have a pre-prod and a prod AWS account. We're now beginning to use IAM Roles for S3 access to js/css files through django-storage / boto.

While this is working correctly on a per account basis, now a need has risen where the QA instance needs to access one S3 bucket on a the prod account.

Is there a way to have one IAM role that can grant access to the pre-prod And prod S3 buckets? As I'm writing it seems impossible, but it never hearts to ask!

Upvotes: 1

Views: 1288

Answers (1)

Josh Hancock
Josh Hancock

Reputation: 855

Here's the AWS doc on this: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html

Essentially, you have to delegate permissions to one account from the other account using the Principal block of your Bucket's IAM policy, and then set up your IAM user in the second account as normal.

Example bucket policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "Example permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Account-ID>:root" }, "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<bucket-name>" ] } ] }

This works well for read-only access, but there can be issues with write access. Primarily, the account writing the object will still be the owner of that object. When dealing with Write permissions, you'll usually want to make sure the account owning the bucket still has the ability to access objects written by the other account, which requires the object to be written with a particular header: x-amz-grant-full-control

You can set up your bucket policy so that the bucket will not accept cross-account objects that do not supply this header. There's an example of that at the bottom of this page: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html (under "Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control")

This makes use of a conditional Deny clause in the bucket policy, like so: { "Sid":"112", "Effect":"Deny", "Principal":{"AWS":"1111111111" }, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::examplebucket/*", "Condition": { "StringNotEquals": {"s3:x-amz-grant-full-control":["[email protected]"]} } }

I generally avoid cross-account object writes, myself...they are quite fiddly to set up.

Upvotes: 5

Related Questions