En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Amplify build failing to get object from an S3 bucket in another account

0

I am trying to get and Amplify build to pull a file from an S3 bucket in another AWS account. Both accounts live under the same organisation. The bucket in account A has the following policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-account-a/*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-xxxxxxxxxx"
                }
            }
        }
    ]
}

Account B has the Amplify application with a service role attached and the following amplify.yml:

version: 1
frontend:
  phases:
    preBuild:
      commands:
        - aws s3api get-object --bucket bucket-account-a --key file.txt ./file.txt
        - yarn install
    build:
      commands:
        - yarn run build
  artifacts:
    baseDirectory: .next
    files:
      - '**/*'
  cache:
    paths:
      - node_modules/**/*

The build fails outputting the following error: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied. I have seen that the service role assigned is being assumed and refers to account B, so I am not sure what I am missing or what is stopping this from working. I have tried removing the condition on the above policy and updating the Principal on the S3 bucket policy to the assumed role (arn:aws:sts::bbbbbbbbbbbb:assumed-role/staging-amplify-service-role/BuildSession), the Amplify service, even just without the account id (arn:aws:iam::bbbbbbbbbbbb:root), all producing the same error.

Has anyone tried something similar?

Sujets
StockageWeb et mobile front-end
Balises
Simple service de stockage AmazonAWS Amplify
Langue
English
DanMitchell
demandé il y a un an638 vues
1 réponse
0

Hello, Access Denied generally occurs because of permission related issues. In you scenario I would suggest to check the following:

  1. If the S3 bucket is encrypted with AWS KMS. Check if the KMS key policy allowed the other account to access.
  2. Does the IAM role created in account B has permissions for the S3 bucket. You have to add the S3 bucket in the IAM role policy.
  3. Check if the organisation does not have any restrictive policies.

Please refer the below document [+] https://repost.aws/knowledge-center/s3-cross-account-access-denied

AWS
INGÉNIEUR EN ASSISTANCE TECHNIQUE
Ujjawal_S
répondu il y a un an
  • DanMitchell
    il y a un an

    Already done. I know the permissions set against the bucket are working as I can use the AWS CLI to get the object assuming a different role with account B. I have used a similar pattern of policies in a few places now and have not encountered any issue, but no matter what I have tried nothing is working within the context of an Amplify build.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents