Reputation: 1293
how I grant s3 bucket access with this particular role?
I've looked at some other solutions for similar questions, but here's the twist: I was given this and asked to grant s3 bucket for another account to put/get objects:
arn:aws:iam::[account number]:role/CustomerManaged/XMO-Custom-SPEG-DPM-Share-Role
I know the basics of how to change bucket policies in the JSON format. Do I need to create the JSON from this in the s3 bucket policy, or do I add this in IAM? I have seven tabs open for AWS doc pages but am getting lost in the weeds of what to do here.
Upvotes: 1
Views: 15688
Answers (2)
Reputation: 270104
It appears that your requirement is:
- An IAM Role (
Role-A) in Account-A wants to access... - An Amazon S3 Bucket (
Bucket-B) in Account-B - You are an Administrator in Account-B
The simplest way to permit such access is to add a Bucket Policy to Bucket-B:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:role/CustomerManaged/XMO-Custom-SPEG-DPM-Share-Role"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
This policy says:
- Allow the given IAM Role
- Permission to put/get objects
- In this bucket
There is no need to assume roles. Simply adding this bucket policy on Bucket-B allows Role-A to access the bucket.
Oh, and Role-A also needs to be granted sufficient S3 permissions to access the bucket, which might be via generic permissions (eg s3:GetObject on a Principal of *), or it could be specific to this bucket. Basically, Account-A has to grant it permission (via IAM), AND Account-B has to grant it permission (via the bucket policy).
Upvotes: 6
Reputation: 78842
In account B, which needs to access account A's bucket, set up an IAM role that includes the relevant permissions (e.g. s3:GetObject on s3://bucketa/prefix/*). For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucketa/prefix/*"
}
]
}
In account A, which owns the bucket, add an S3 bucket policy to bucketa that gives the relevant permissions to the account B role. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountb:role/rolename"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucketa/prefix/*"
]
}
]
}
Finally, in account B, given the relevant IAM users or roles permission to assume the account B role so that they can get cross-account access to the bucket.
Alternatively, rather then delegate permissions directly to an IAM role in account B, account A can set a principal of "AWS": "arn:aws:iam::accountb:root" in the bucket policy and this will allow account B administrators to delegate permission as they choose (see example).
For more, see How can I provide cross-account access to objects that are in Amazon S3 buckets?
Upvotes: 1
Related Questions
- AWS S3 Bucket Access file permission
- AWS IAM bucket permissions access denied
- Can't access S3 bucket using IAM Role from an EC2 instance
- What permissions are required to assign roles to S3 buckets?
- Cross account role granting S3 bucket access - Permission Denied
- S3 - grant access to create buckets
- AWS EC2 access to S3 with IAM role
- How do I limit access to S3 Bucket for particular IAM Role?
- Granting permissions to an Amazon S3 bucket
- AWS S3 grant access to single IAM user