Allow one instance in another account write access to s3 bucket but all other instances just ReadOnly.

Question

In account A I have the s3 bucket.  In account B I have an instance I want to allow write access to the s3 bucket.  All other instances in the 2 accounts should only have ReadOnly access.

I have the following for my bucket policy:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::846356111111:root",
                    "arn:aws:iam::233450222222:root",
                ]
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::prod-us-ansible",
                "arn:aws:s3:::prod-us-ansible/*"
            ]
        }
    ]
}
```
In account A I have the following policy:

```
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "s3:*",
			"Resource": [
				"arn:aws:s3:::prod-us-ansible",
				"arn:aws:s3:::prod-us-ansible/*"
			]
		}
	]
}
```
Then in account B I have the following policy added to the role attached to the instance I want to allow write access to.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::233450222222:role/EC2-S3-AnsibleAllowWrite"
            ]
        }
    ]
}
```
When I test this out on the instance I get the following when doing aws s3 sync:
fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

I know I am missing something but what is it am I missing.

Accepted Answer

What I ended up doing that worked was in this doc: https://repost.aws/knowledge-center/cross-account-access-s3 I followed the first section of IAM policies and resource-based bucket policies.
1.    Create an S3 bucket in Account A.
2.    Create an IAM role or user in Account B.

This worked.  Now I just need to test how open it is and limit it.

Answer

Hello.

Once you have done that, why don't you try deleting Account A, the principal of the bucket policy?  
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::233450222222:root"
                ]
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::prod-us-ansible",
                "arn:aws:s3:::prod-us-ansible/*"
            ]
        }
    ]
}
```
Am I correct in assuming that the IAM role "EC2-S3-AnsibleAllowWrite" is configured to be used from account B?

In addition, the following document seems to indicate that the bucket policy can be accessed successfully without setting up a bucket policy, as long as the cross-account role is set up.  
https://repost.aws/knowledge-center/s3-instance-access-bucket

Allow one instance in another account write access to s3 bucket but all other instances just ReadOnly.

Relevanter Inhalt