Hello and thank you for viewing.
Background Information:
Attempting to setup cross-account S3 bucket access for my DevOps folks to have access to my account bucket that has backups in it.
I have implemented it and is nearly identical to the "Cross-account IAM roles" section of this link that includes console viewing: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
I did setup a policy in ACCOUNT-A with the read only rules I need in place and the items for console viewing and have that attached to my AcrossAccountS3 role. I added the arn:iam:ACCOUNT-B:user in the trusted relationships for said AcrossAccountS3 role. I then, as the document describes, created a policy in ACCOUNT-B for permission for my account in B to assume the ACCOUNT-A:AcrossAccountS3 role.
Which at the bottom of that document I would like to note that it states "so a bucket policy or an ACL for cross-account access isn't required" and is the exact reason why I am attempting to do it this way. So at this point my bucket policy is null and void of any references to Account B.
What Is Actually Happening
If I login to ACCOUNT-B with my user that has the assume role policy attached to it, I can go to SWITCH ROLE, switch to the ACCOUNT-A:AcrossAccountS3 role, go to S3 and I see ACCOUNT A S3 just like my policy in ACCOUNT-A dictates. I can only download and list the folders as explicitly called out in my ACCOUNT-A policy, just as it dictates. In other words, thus far everything seems like it has worked perfectly as described in the support document.
However, if I login to an EC2 instance in ACCOUNT-B with my user, run "aws sts assume-role --role-arn arn:aws:iam::ACCOUNT-A:role/CrossAccountS3 --role-session-name s3-access", I don't have the same experience. I do get the role and that part looks fine when it passes that over. It gives no negative feedback whatsoever. But once I try to do "_aws s3 ls s3://ACCOUNT-A/GeneralFolder" I get "An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied" and if I try to download something explicitly, something that downloaded perfectly fine from the console, like "aws s3 cp s3://ACCOUNT-A/GeneralFolder/Database.bak" I get this error "Fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden"
That Leaves Me Here
Currently, I would note that I did end up implementing a very similar bucket policy in ACCOUNT-A for ACCOUNT-B and the CLI now does work, but as the knowledge document mentions, and as I would prefer to do, the bucket policy is not supposed to be a requirement for cross account S3 access and I should be able to accomplish all of this within the IAM world. Unless I'm misunderstanding something.
I have been completely stumped on how assuming the role via console in ACCOUNT-B can work 100% as I would expect and exactly inline with my ACCOUNT-A policy, but assuming the role via CLI in ACCOUNT-B does not. Any help or suggestions would be MUCH appreciated.
AWS OFFICIALAktualisiert vor einem Jahr