- Newest
- Most votes
- Most comments
To fetch S3 bucket details from both accounts using the user's access keys in the second account, you'll need to configure IAM roles and policies appropriately.
1. Create an IAM User in the Second Account: In the second account, create an IAM user with the necessary permissions to access S3 buckets in both accounts. This user will be used to execute your Python script.
2. Attach an IAM Role to the User: Create an IAM role in the second account that grants the user access to S3 buckets in both accounts. This role should have the following permissions:
s3:ListAllMyBuckets
to list all buckets in the second account
s3:ListBucket
to list objects in a specific bucket
s3:GetObject
to retrieve object metadata
s3:GetObjectAcl
to retrieve object ACLs (if needed)
3. Attach a Policy to the Role: Create a policy in the management account that allows the IAM role in the second account to access S3 buckets in the management account. This policy should have the following condition:
aws:PrincipalOrgID: YOUR_ORGANIZATION_ID
aws:SourceAccount: SECOND_ACCOUNT_ID
4. Attach the Policy to the Role: Attach the policy created in the management account to the IAM role in the second account. This will grant the IAM role the necessary permissions to access S3 buckets in both accounts.
5. Configure Your Python Script:
In your Python script, use the Boto3 library to connect to S3 using the access keys of the IAM user in the second account.
Use theclient.list_buckets()
method to list all buckets in both accounts.
Iterate through the list of buckets and use the client.list_objects_v2()
method to list objects in each bucket.
Retrieve object metadata and ACLs (if needed) using the client.get_object()
and client.get_object_acl()
methods, respectively.
Relevant content
- Accepted Answerasked 10 months ago
- asked 8 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
Hi Rashid, Thanks for the reply. I have a query. How to attach the created in the another account to the IAM Role in the second account. The policy is not showing up in the second account.
You can’t attach policies created in one account to users/roles in other accounts. You need to create a role in the management account for the user in account 2 to Assume. Attach a policy created in the management account to the role in the management account. Steps 3 and 4 need slight adjustment.