By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 upload issues using aws console

0

I have a SAML role in A account and I have a bucket in B account... I gave access to the bucket but when I am trying to upload the file it is showing the error - Access control list (ACL) not supported (Kindly give your valuable responses to sort out my issue).

And I am not confidence with S3 CLI commands as well. If you give that as well then I will try from CLI.

Topics
StorageSecurity, Identity, & ComplianceManagement & Governance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAWS Command Line Interface
Language
English
rePost-User-4385047
asked a year ago287 views
2 Answers
2

Hello, This is a cross account case.

Please check those things in below.

  1. Check your IAM role permission in A account. If you want to upload a file to S3 bucket in account B, your IAM Role must be granted. This is a permission sample.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Example",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::${YOUR-BUCKET-NAME}"
            ]
        }
    ]
}
  1. Check your S3 Bucket permission in B account. In cross-account case, you must grant permissions for user in A account. This is a permission sample.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Example permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${YOUR-IAM-ROLE-ARN}"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::${YOUR-BUCKET-NAME}/*"
        }
    ]
}
  1. Here is a CLI command for object upload test.
aws s3api put-object --bucket ${YOUR-BUCKET-NAME} --key {OBJECT-TO-UPLOAD}

In cross account case, you can't see a target bucket name in AWS Management Console. So, when you upload a file to S3 bucket, you should use cli or another programmatic method.

If you need more details, please read this reading materials.

Good Luck!

jinhyeok
answered a year ago
1

You must create in Account A an Account role for account B with a policy that allows S3 access.Then you must Allow account B to assume this role :

Account A:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "other s3 actions..."
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name/*",
                "arn:aws:s3:::your-bucket-name"
            ]
        }
    ]
}

From Account B you must asume the previously created role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::xxxxxx:role/ARN-of-Previous-Role"
        }
    ]
}

Check this resource for a complete step-by-step explanation.

AWS
David C
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content