Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
AWS IAM Identity Center and S3 cross-account access
I have multiple accounts managed via IAM Identity Center. In AccountA, I have an S3 bucket with "Block all public access" = ON. I'm trying to grant people that have AdministratorAccess in AccountB to have RO access from that S3 bucket.
So, what I tried is to:
- In AccountA, where the S3 bucket exists, I've set the Bucket policy to the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::xxxxxx:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_e42b39700d9195e4" }, "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::<my-bucket>/*", "arn:aws:s3:::<my-bucket>" ] } ] }
- In Identity Center Permission Set, I added an Inline Policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::<my-bucket>/*", "arn:aws:s3:::<my-bucket>" ] } ] }
This doesn't work though. Am I missing some additional requirement when using IAM Identity Center?
- Language
- English
- Newest
- Most votes
- Most comments
WOW. I figured it out.
It turns out I had an SCP policy on the AWS Org, that limited all AWS services to us-west-2 region, where all my services are, but the bucket is in us-west-1. As soon as I added us-west-1 to permitted list of regions, it started working...
I have no idea which service it is requesting, I tried allowing for us-west-1 explicitly sts:* and kms:* and s3:*, but it still didn't work.
You dont need to have your bucket policy to grant access to the Identity Centre roles. Just ensure your permission set has S3 access to the bucket. When the user assumes the role they will inturn be granted access to the S3 bucket.
Reason being, if you change the permission set it will generate a new one with a different role name.
What do you mean by "Permission Set has access to the bucket"? For Cross Account access, both sides need to specify privileges, meaning S3 bucket and IAM role (here via Permission Set). Also, you're saying that I don't need to do something, but considering the fact that it doesn't work with both sides specified, with one side specified it will not work either.
Its not cross account when using permission set. Your assuming a role in the account so your not actually using cross account when using Identity centre
Ok appolgies, I see what your trying to do.. I miss read it. I thought you were having issues with Ident Centre when using the console and logging into the account.
AccountA is in one AWS account in the AWS Organisation, AccountB is in another account in the same AWS Organisation - it looks like cross-account for me :-) Still, it doesn't work, so something is wrong.
Ive not tried this myself, but are the objects encrypted with a customer KMS Key?
Hi Radek,
Please go through the below steps i hope it will helps to resolve your issue.
1. S3 Bucket Policy in AccountA
Ensure your S3 bucket policy allows access from the specific IAM roles used in AccountB. Here is the updated policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_xxxxxxx"
},
"Action": [
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
2. IAM Role Assumption Policy in AccountB
Ensure that the roles in AccountB have policies allowing them to assume the necessary roles in AccountA. Create or update the IAM policy as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::AccountA:role/RoleNameInAccountA"
}
]
}
3. Identity Center Permission Set in AccountB
Update the inline policy for the Permission Set to include the necessary permissions for the S3 bucket in AccountA:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Please loot at AWS Document Link you will get more information.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 3 years ago
That setup is quite correct. Assuming you aren't using SSE-KMS encryption or something else not mentioned, it should work. What is it exactly that isn't working, and what is the symptom of it not working? Are you receiving an error message?
I'm testing with both, AWS Console and CLI. In CLI I'm getting:
In console, I'm just getting all red permission denied errors.
The bucket is using Bucket Encryption Key and SSE-S3.
In that same console session, what does
aws sts get-caller-identitysay relative to the value in the "Principal"/"AWS" attribute in your bucket policy?Nah, I was logging in and out to check. When testing with CLI, here is the output of
get-called-identityon that session: