Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Access bucket s3 from a role on another account

0

Hi all,

I trying to set up the environment with bucket s3 to be accessed via other account.

The bucket s3 was created on account(Account A) called bucket01 and is the access is from another account(Account B)

On the account B, has created the role called role01.

I defined the follow policy on the bucket s3 of account A.

{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Sid": "VisualEditor0",  
            "Effect": "Allow",  
            "Principal": {  
                "AWS": \[  
                    "arn:aws:iam::<id other account B>:role/role01"  
                ]  
            },  
            "Action": "s3:*",  
            "Resource": "arn:aws:s3:::bucket01/*"  
        }  
    ]  
}

I created the role called role01 with follow policy.

{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Sid": "VisualEditor0",  
            "Effect": "Allow",  
            "Action": \[  
                "s3:*"  
            ],  
            "Resource": \[  
                "arn:aws:s3:::bucket01"  
            ]  
        }  
    ]  
}

Associate this role to a server running Linux and from that server execute the aws s3 ls command. Does not work

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Let me know where i'm going wrong.

Thanks.

Temas
Almacenamiento
Etiquetas
Amazon Simple Storage Service
Idioma
English
ricardobarbosams
preguntada hace 3 años1122 visualizaciones
2 Respuestas
0

Solved via https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/?nc1=h_ls

ricardobarbosams
respondido hace 3 años
0

Hello,

Greetings of the day,

I understand that you are trying to access s3 bucket in account A from the IAM role in account B and facing access denied error while running 'aws s3 ls' command via CLI.

Please note that s3 ls is a bucket level operation and hence we need to provide bucket level permission to the IAM role in both IAM policy and Bucket policy as this is a cross account scenario.

Looking into the policies which you have shared, I can see that IAM policy is granting bucket level permission on the s3 bucket. However, the bucket policy is granting only object level permission to the IAM role. When the request to s3 bucket is made from a different account IAM role, both the IAM policy and the bucket policy should grant the permissions.

As the bucket policy was not allowing the IAM role to perform bucket level operations, you were facing access denied error. In order to resolve the access denied error, the bucket policy should allow the IAM role to perform bucket level operations.

I am happy that you were able to resolve this issue now by following AWS the documentation. Let us know if you still face any issue.

Thank you!!

AWS
AWS-User-2928704
respondido hace 3 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante