I want to use an Amazon Elastic Compute Cloud (Amazon EC2) instance to access my Amazon Simple Storage Service (Amazon S3) bucket in another account.
Resolution
Note: The steps to grant an Amazon EC2 instance access to an Amazon S3 bucket are similar to the steps to grant access to AWS resources in another account.
Complete the following steps to grant an instance in Account A access to an S3 bucket in Account B.
From Account B, create an IAM role
To create an Identity and Access Management (IAM) role from Account B, complete the following steps:
- Use Account B to sign in to the AWS Management Console.
- Open the IAM console.
- In the navigation pane, choose Roles, and then choose Create role.
- For Trusted entity type, choose AWS account.
- Select Another AWS account, and then enter the account ID of Account A.
- Choose Next.
- Attach an IAM policy to the role that delegates access to Amazon S3, and then choose Next. For example, the following IAM policy grants s3:GetObject access on objects that are stored in the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET"
]
}
]
}
Note: Modify the IAM policy based on the Amazon S3 bucket-level and object-level permissions that are required for your use case.
- For Role name, enter a name for the role.
- (Optional) Add tags to the role.
- Choose Create role.
From Account B, find the IAM role's ARN
To find the IAM role's ARN, complete the following steps:
- From the IAM console's navigation pane, choose Roles.
- Choose the IAM role that you created.
- Note the value that's listed for Role ARN.
From Account A, create another role and attach it to the instance
To create another instance profile from Account A and attach it to the instance, complete the following steps:
- Use Account A to sign in to the AWS Management Console.
- Open the IAM console.
- From the navigation pane, choose Roles, and then choose Create role.
- For Trusted entity type, choose AWS Service.
- For Service or use case, choose EC2 and then select your use case.
- Choose Next.
- On the Add permissions page, choose Next.
- For Role name, enter a name for the role.
- (Optional) Add tags to the role.
- Choose Create role.
- From the list of roles, choose the role that you created.
- For Add permissions, choose Create inline policy.
- For Policy editor, select JSON, and then enter the following policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::111111111111:role/ROLENAME"
}]
}
Note: Replace arn:aws:iam::111111111111:role/ROLENAME with the ARN of the IAM role that you created in Account B.
- Choose Next.
- For Name, enter a name for the policy, and then choose Create policy.
- Attach the IAM role to the instance that you use to access the Amazon S3 bucket.
From the Amazon EC2 instance, create a profile for the role in the CLI config file
Note: If you use SSH and Session Manager, a capability of AWS Systems Manager, to connect to your instances, then you must perform these steps for both the ec2-user and ssm-user.
To create a profile for the role in the CLI config file from the instance, complete the following steps:
-
Connect to the instance. For more information, see Connect to your Linux instance or Connect to your Windows instance.
-
To determine whether the directory already has a folder named ~/.aws, run the following ls command to list the instance directory:
ls -l ~/.aws
If you find the ~/.aws folder, then proceed to the next step. If you don't find a ~/.aws folder, then run the following mkdir command to create the folder:
mkdir ~/.aws/
-
In the ~/.aws folder, use a text editor to create a file. Name the file config.
-
In the file, enter the following text:
[profile enterprofilename]
role_arn = arn:aws:iam::111111111111:role/ROLENAME
credential_source = Ec2InstanceMetadata
Note: Replace enterprofilename with your value. Replace arn:aws:iam::111111111111:role/ROLENAME with the ARN of the role that you created in Account B.
-
Save the file.
Verify that the instance profile can assume the role
To verify that your instance's role can assume the role in Account B, connect to the instance and then run the following command:
$aws sts get-caller-identity --profile profilename
Note: Replace profilename with the name of the role that you attached to the instance.
The command returns a response similar to the following one:
"Account": "11111111111",
"UserId": "AROAEXAMPLEID:sessionName",
"Arn": "arn:aws:sts::111111111111:assumed-role/ROLENAME/sessionName"
Confirm that the value for "Arn" matches the ARN of the role that you created in Account B.
Verify access to the Amazon S3 bucket
To verify that your instance can access the S3 bucket, connect to the instance and then run the following list command:
aws s3 ls s3://DOC-EXAMPLE-BUCKET --profile profilename
Note: Replace profilename with the name of the role that you attached to the instance.
If your instance can successfully access the bucket, then you receive a response similar to the following one:
PRE Hello/
2018-08-15 16:16:51 89 index.html
Related information
IAM Tutorial: Delegate access across AWS accounts using IAM roles