Reputation: 471
Accessing S3 Inventory from another AWS account
I've setup S3 inventory report for a bucket, the data being analyzed is in bucket/data while the inventory report is generated and stored into bucket/meta/inventory/.
Now I want to access it from another AWS account, I have created the IAM role policy for cross-account access and I can copy/get files via the SDK or the AWS CLI only from the bucket/data/ prefix. If I try to get files created for the S3 inventory report, like the manifest.json file or any csv file from the inventory report with path bucket/meta/inventory/.../data/report.csv, I get:
403 Access Denied
or via CLI
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied.
It is strange as I have policy that allows s3:ListBucket and s3:GetObject for the whole bucket for that IAM role but it seems that the files created by the s3.amazonaws.com service, in this case all files from the inventory report are not accessible for that IAM Role.
Does someone has encountered this? Anyone can suggest a fix?
Upvotes: 1
Views: 1296
Answers (1)
Reputation: 471
I have found the issue, it seems that you must provide "s3:x-amz-acl": "bucket-owner-full-control" StringEquals Condition in the bucket policy statement for the S3 inventory as stated here:
Otherwise the ACL on the files from the Inventory Report will block any access outside the account that owns the bucket where the inventory is saved.
Upvotes: 1
Related Questions
- Cross account S3 access from the same AWS role
- S3 Cross account Access | Accessing Buckets via console of another Account
- Cross Account S3 Access for a public buket
- Access s3 bucket from different aws account
- Amazon S3 access for other AWS accounts
- S3 Cross Account Access With Role
- S3 cross account access involving 3 accounts
- Access cross account data uploaded by other user on S3
- Want to access S3 using EC2 instance profile from a different account
- Access AWS S3 bucket from another account using roles