How can I grant my Amazon EC2 instance access to an Amazon S3 bucket in another AWS account?

5 minute read
2

I want to use an Amazon Elastic Compute Cloud (Amazon EC2) instance to access my Amazon Simple Storage Service (Amazon S3) bucket in another account.

Resolution

Note: The steps to grant an Amazon EC2 instance access to an Amazon S3 bucket are similar to the steps to grant access to AWS resources in another account.

Complete the following steps to grant an instance in Account A access to an S3 bucket in Account B.

From Account B, create an IAM role

To create an Identity and Access Management (IAM) role from Account B, complete the following steps:

  1. Use Account B to sign in to the AWS Management Console.
  2. Open the IAM console.
  3. In the navigation pane, choose Roles, and then choose Create role.
  4. For Trusted entity type, choose AWS account.
  5. Select Another AWS account, and then enter the account ID of Account A.
  6. Choose Next.
  7. Attach an IAM policy to the role that delegates access to Amazon S3, and then choose Next. For example, the following IAM policy grants s3:GetObject access on objects that are stored in the bucket:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:ListBucket"
                ],
                "Resource": [
                    "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
                    "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
                ]
            }
        ]
    }
    Note: Modify the IAM policy based on the Amazon S3 bucket-level and object-level permissions that are required for your use case.
  8. For Role name, enter a name for the role.
  9. (Optional) Add tags to the role.
  10. Choose Create role.

From Account B, find the IAM role's ARN

To find the IAM role's ARN, complete the following steps:

  1. From the IAM console's navigation pane, choose Roles.
  2. Choose the IAM role that you created.
  3. Note the value that's listed for Role ARN.

From Account A, create another role and attach it to the instance

To create another instance profile from Account A and attach it to the instance, complete the following steps:

  1. Use Account A to sign in to the AWS Management Console.
  2. Open the IAM console.
  3. From the navigation pane, choose Roles, and then choose Create role.
  4. For Trusted entity type, choose AWS Service.
  5. For Service or use case, choose EC2 and then select your use case.
  6. Choose Next.
  7. On the Add permissions page, choose Next.
  8. For Role name, enter a name for the role.
  9. (Optional) Add tags to the role.
  10. Choose Create role.
  11. From the list of roles, choose the role that you created.
  12. For Add permissions, choose Create inline policy.
  13. For Policy editor, select JSON, and then enter the following policy:
    {
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::111111111111:role/ROLENAME"
        }]
    }
    Note: Replace arn:aws:iam::111111111111:role/ROLENAME with the ARN of the IAM role that you created in Account B.
  14. Choose Next.
  15. For Name, enter a name for the policy, and then choose Create policy.
  16. Attach the IAM role to the instance that you use to access the Amazon S3 bucket.

From the Amazon EC2 instance, create a profile for the role in the CLI config file

Note: If you use SSH and Session Manager, a capability of AWS Systems Manager, to connect to your instances, then you must perform these steps for both the ec2-user and ssm-user.

To create a profile for the role in the CLI config file from the instance, complete the following steps:

  1. Connect to the instance. For more information, see Connect to your Linux instance or Connect to your Windows instance.

  2. To determine whether the directory already has a folder named ~/.aws, run the following ls command to list the instance directory:

    ls -l ~/.aws

    If you find the ~/.aws folder, then proceed to the next step. If you don't find a ~/.aws folder, then run the following mkdir command to create the folder:

    mkdir ~/.aws/
  3. In the ~/.aws folder, use a text editor to create a file. Name the file config.

  4. In the file, enter the following text:

    [profile enterprofilename]
    role_arn = arn:aws:iam::111111111111:role/ROLENAME
    
    credential_source = Ec2InstanceMetadata

    Note: Replace enterprofilename with your value. Replace arn:aws:iam::111111111111:role/ROLENAME with the ARN of the role that you created in Account B.

  5. Save the file.

Verify that the instance profile can assume the role

To verify that your instance's role can assume the role in Account B, connect to the instance and then run the following command:

$aws sts get-caller-identity --profile profilename

Note: Replace profilename with the name of the role that you attached to the instance.

The command returns a response similar to the following one:

"Account": "11111111111",

"UserId": "AROAEXAMPLEID:sessionName",

"Arn": "arn:aws:sts::111111111111:assumed-role/ROLENAME/sessionName"

Confirm that the value for "Arn" matches the ARN of the role that you created in Account B.

Verify access to the Amazon S3 bucket

To verify that your instance can access the S3 bucket, connect to the instance and then run the following list command:

aws s3 ls s3://DOC-EXAMPLE-BUCKET --profile profilename

Note: Replace profilename with the name of the role that you attached to the instance.

If your instance can successfully access the bucket, then you receive a response similar to the following one:

PRE Hello/
2018-08-15 16:16:51 89 index.html

Related information

IAM Tutorial: Delegate access across AWS accounts using IAM roles

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago
4 Comments

i followed this , i am able to Verify access to the Amazon S3 bucket from cli. But through java sdk when uploading a file to this bucket i am getting "access denied" error

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

On step 5 when creating a profile on the EC2 machine, it says "Replace enterprofilename with the name of the role that you attached to the instance." To clarify, any arbitrary string will do here since there may be S3 buckets on multiple accounts that the EC2 instance must access and each profile has to have a unique name in the config file in order to reference it using the --profile flag.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago