Reputation: 49
How to verify cross account AWS S3 bucket exists or not?
I have an application using aws account A which needs to check if bucket in aws account B exists or not. If the bucket doesn't exist then I want the application to fail at the start.
I have setup "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation" for a bucket in account B to account A. I was using below to get all the buckets and then looping over the list to match bucket name of account B. I know this will only give list of buckets owned by account A only.
s3Client = s3.New(session)
list, err := s3Client.ListBuckets(nil)
what is the best way to figure out if bucket in account B exists or not here?
Here is the bucket policy on the bucket in Account B:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<accountA_no>:root"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"<AccountB_bucket_arn>/*",
"<AccountB_bucket_arn>"
]
}
Upvotes: 0
Views: 2899
Answers (2)
Reputation: 49
I figured out that we can't list cross-account buckets(s3Client.ListBuckets(nil)). It will only return list of buckets owned by an authenticated user. Refer https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-cross-account-access/
I updated the code to use ListObjectsV2 https://docs.aws.amazon.com/sdk-for-go/api/service/s3/#S3.ListObjectsV2. Before using ListObjectsV2 function, I set up IAM role policy on account A as below which was missing.
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::account-B-Bucket/*",
"arn:aws:s3:::account-B-Bucket"
]
}
Upvotes: 1
Reputation: 269826
It appears that simply listing a bucket can indicate whether a bucket exists vs does not exist:
$ aws s3 ls s3://example-bucket
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
$ aws s3 ls s3://example-bucketzz
An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist
I'm not a Go person, but from Python I got these results:
>>> len(list(boto3.resource('s3').Bucket('example-bucket').objects.all()))
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
>>> len(list(boto3.resource('s3').Bucket('example-bucketzz').objects.all()))
botocore.errorfactory.NoSuchBucket: An error occurred (NoSuchBucket) when calling the ListObjects operation: The specified bucket does not exist
Upvotes: 0
Related Questions
- How do I test if a bucket exists on AWS S3
- AWS S3: How to check if a file exists in a bucket using bash
- Check if an AWS S3 Bucket exists else create it
- S3 Cross account Access | Accessing Buckets via console of another Account
- How to check if my EC2 has access to s3 bucket in same account?
- How know if bucket exists in AmazonS3 SDK 3.0
- Access s3 bucket from different aws account
- how could I check that whether a S3 bucket already exist in aws s3 with GO
- How to verify AWS S3 bucket details is valid or not using Nodejs?
- How can I check that a AWS S3 bucket exists?