Reputation: 47
Access S3 bucket with IAM role from another AWS account
Scenario: There are 3 AWS accounts on our infra. Only in 1 account has IAM users are created. They use Switch role to login to other accounts.
Now there's one S3 bucket in account where IAM users are created but when IAM users use switch role to login to other accounts they can't see S3 bucket.
Below is inside S3 bucket policy: As you can see we have given permissions of s3:ListBucket and s3:GetObject to roles which are present in other accounts.
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::975062884610:role/dev-switch-role",
"arn:aws:iam::243225358771:role/prod-switch-role"
]
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::logs-s3-bucket"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::975062884610:role/dev-switch-role",
"arn:aws:iam::243225358771:role/prod-switch-role"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::logs-s3-bucket/*"
}
Also in Role policies roles have AdministratorAccess policy attached but still IAM users can't view buckets after using switching role to login into other accounts.
Upvotes: 1
Views: 399
Answers (1)
Reputation: 269091
Let's say you have:
- Users or Roles in Account-A
- A bucket in Account-B
When granting cross-account access to an Amazon S3 bucket, you need to grant BOTH of the following:
- An IAM Policy on the IAM User / IAM Role in Account-A to access the bucket in Account-B, AND
- A Bucket Policy on the bucket in Account-B the permits access from the user/role in Account-A -- I think the policy you have shown in your question would do this nicely
Therefore, my guess would be that the non-functioning role(s) have not been given permission to Access the S3 bucket in Account-B.
You might be wondering why you require BOTH sets of permissions. It is because:
- By default, users in Account-A cannot use any services. They must be granted permission to use S3 -- either specifically for the Bucket in Account-B, or to all buckets in AWS.
- IAM entities in other accounts cannot access your own bucket (for example, I cannot access a bucket in your account even if I have Admin permissions). The Bucket Policy is a way of granting access to IAM entities in other accounts.
Upvotes: 0
Related Questions
- AWS IAM role principal vs role session principal
- What is exactly "Assume" a role in AWS?
- AWS S3 Server side encryption Access denied error
- Amazon S3 buckets inside master account not getting listed in member accounts
- IAM role to access services of another AWS account
- How can I recover from Access Denied Error on AWS S3?
- Enabling AWS IAM Users access to shared bucket/objects
- Access AWS S3 bucket from another account using roles