Reputation: 1208
I have two amazon accounts Account-A and Account-B. I want to give Account-B full control to all S3 related operations in Account-A for example Account-B can create/delete/list buckets belonging to Account-A.
Can you point me to how it's done? So far I was only able to find how to grant cross account access to a single S3 bucket but not to all S3 functionalities.
Upvotes: 1
Views: 1253
Reputation: 269881
There are two ways to assign cross-account permissions for Amazon S3:
Note that the permissions are required in both directions.
The downside to this method is that the Bucket Policy must be applied to every bucket that you want to make available. Also, this will not work for creating new buckets since there is no bucket policy to grant access.
Role-A
) that has all desired S3 permissions, and a Trust Policies that trusts Account-BAssumeRole()
on Role-A
This does not require any Bucket Policies, but has the requirement to call AssumeRole()
.
See also: Provide cross-account access to objects in S3 buckets
Upvotes: 1
Reputation: 5285
Start with the AWS doc walkthrough, then set the bucket policy as (my changes from the doc have //
comments):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:*", // ALL S3 actions
],
"Resource": [
"*" // ALL resources with an 's3:' operation
]
}
]
}
Upvotes: 1