Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Amplify build failing to get object from an S3 bucket in another account

0

I am trying to get and Amplify build to pull a file from an S3 bucket in another AWS account. Both accounts live under the same organisation. The bucket in account A has the following policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-account-a/*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-xxxxxxxxxx"
                }
            }
        }
    ]
}

Account B has the Amplify application with a service role attached and the following amplify.yml:

version: 1
frontend:
  phases:
    preBuild:
      commands:
        - aws s3api get-object --bucket bucket-account-a --key file.txt ./file.txt
        - yarn install
    build:
      commands:
        - yarn run build
  artifacts:
    baseDirectory: .next
    files:
      - '**/*'
  cache:
    paths:
      - node_modules/**/*

The build fails outputting the following error: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied. I have seen that the service role assigned is being assumed and refers to account B, so I am not sure what I am missing or what is stopping this from working. I have tried removing the condition on the above policy and updating the Principal on the S3 bucket policy to the assumed role (arn:aws:sts::bbbbbbbbbbbb:assumed-role/staging-amplify-service-role/BuildSession), the Amplify service, even just without the account id (arn:aws:iam::bbbbbbbbbbbb:root), all producing the same error.

Has anyone tried something similar?

Argomenti
ArchiviazioneFront-end web e dispositivi mobili
Tag
Servizio di archiviazione semplice di AmazonAWS Amplify
Lingua
English
DanMitchell
posta un anno fa638 visualizzazioni
1 Risposta
0

Hello, Access Denied generally occurs because of permission related issues. In you scenario I would suggest to check the following:

  1. If the S3 bucket is encrypted with AWS KMS. Check if the KMS key policy allowed the other account to access.
  2. Does the IAM role created in account B has permissions for the S3 bucket. You have to add the S3 bucket in the IAM role policy.
  3. Check if the organisation does not have any restrictive policies.

Please refer the below document [+] https://repost.aws/knowledge-center/s3-cross-account-access-denied

AWS
TECNICO DI SUPPORTO
Ujjawal_S
con risposta un anno fa
  • DanMitchell
    un anno fa

    Already done. I know the permissions set against the bucket are working as I can use the AWS CLI to get the object assuming a different role with account B. I have used a similar pattern of policies in a few places now and have not encountered any issue, but no matter what I have tried nothing is working within the context of an Amplify build.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente