- Más nuevo
- Más votos
- Más comentarios
If you want to create s3 bucket from account A in Account B, then through role chaining, you can do that. Account A should have access to assume Account B role, which has permission to create s3 bucket. It's not like, Account A role would create the bucket in Account B, but Account role first assume account B role then with that, it'll create bucket in account B.
Please refer this documentation, which explains very well in detail about cross account assume role setup and then you can create the bucket through CLI.
Here is how it'd be done:
-
Account A role should have permission to assume Account B role
-
Account B role should have permission to create s3 bucket in account B:
-
Account B role should have trust relationship for account A role
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AccountA>:role/<RoleName>" }, "Action": "sts:AssumeRole" } ] }
If Roles are SAML Federated/Web Identity based then go through this blogpost, which covers trust relationship examples.
Edit:
Here is how you would do:
Step-1: Account A:
aws sts assume-role --role-arn arn:aws:iam::AccountB:role/AccountB_Role --role-session-name creates3bucket --profile AccountA
Step-2: Import the credentials to perform the action in AccountB
- export AWS_ACCESS_KEY_ID="Returned Access Key Id from first command"
- export AWS_SECRET_ACCESS_KEY="Returned Access Key Id from first command"
- export AWS_SESSION_TOKEN="Returned session token from first command"
Step-3: Create bucket
aws s3api create-bucket --bucket <bucket-name>
This would create the bucket in AccountB. Please refer Using temporary security credentials with the AWS CLI section at AWS Documentation
Hope you find this useful.
Abhishek
In the console you will only be able to create a bucket within the account of the role you are consuming.
You can’t choose to create bucket in an other account.
You’d have to assume a role in the account where you wish to create the bucket in.
The S3 bucket creation process is always performed within the account where the AWS credentials are sourced. It means when you're logged into account A, you can only create a bucket in account A, not in account B. Even when you assume a role in account B, the bucket will be created in account A.
In order to create a bucket in account B, you need to do one of the following:
- Assume the IAM role in account B that has the necessary permissions and use those credentials to create the bucket.
- Create the bucket in account A and then migrate it to account B. This process includes creating a bucket in account A, copying all of the data to a new bucket in account B, and then deleting the bucket from account A.
- If you want to create a bucket in account B from account A, you need to have account B's credentials available in account A. This is not a recommended practice due to security reasons.
When it comes to AWS services, always remember that resource creation and management are performed under the context of the account that owns the IAM credentials being used.
Your current process of granting bucket creation permissions to a role in Account B is fine but it's missing the step where you have to actually switch to Account B by assuming the role using the AWS Security Token Service (AWS STS) AssumeRole API to receive temporary credentials for that role, then using these temporary credentials to make the API call to create the bucket.
Please note that IAM policies and roles only govern permissions, they do not implicitly change the context of your operations between AWS accounts.
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 3 años
Do you have any additional questions, happy to help.
In this case - the aws access key has to belong to account B or A?
Here is how you would do:
Step-1: Account A: aws sts assume-role --role-arn arn:aws:iam::AccountB:role/AccountB_Role --role-session-name creates3bucket --profile AccountA
Step-2: Import the credentials to perform the action in AccountB
Step-3: aws s3api create-bucket --bucket <bucket-name>
This would create the bucket in AccountB. Please refer Using temporary security credentials with the AWS CLI section at AWS Documentation.
I've added these steps in my answers Edit section as well.