By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Organization and Cross account access.

0

i have an aws organization. under that 2 accounts. first one is management account consisting all data everything. second one i have a user to fetch s3 bucket details. so now, i have to get all the buckets and objects in the both the accounts with the user's access keys in the 2nd account. What all should I do for my python code to fetch details should work from the 2nd account user's access keys. What role and policies need to be attached to the users and the buckets?

Topics
StorageSecurity, Identity, & ComplianceManagement & Governance
Tags
Amazon Simple Storage ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementAWS OrganizationsAWS Account Management
Language
English
Saru
asked 5 months ago307 views
1 Answer
0

To fetch S3 bucket details from both accounts using the user's access keys in the second account, you'll need to configure IAM roles and policies appropriately.

1. Create an IAM User in the Second Account: In the second account, create an IAM user with the necessary permissions to access S3 buckets in both accounts. This user will be used to execute your Python script.

2. Attach an IAM Role to the User: Create an IAM role in the second account that grants the user access to S3 buckets in both accounts. This role should have the following permissions:

s3:ListAllMyBuckets to list all buckets in the second account s3:ListBucket to list objects in a specific bucket s3:GetObject to retrieve object metadata s3:GetObjectAcl to retrieve object ACLs (if needed)

3. Attach a Policy to the Role: Create a policy in the management account that allows the IAM role in the second account to access S3 buckets in the management account. This policy should have the following condition:

aws:PrincipalOrgID: YOUR_ORGANIZATION_ID 
aws:SourceAccount: SECOND_ACCOUNT_ID

4. Attach the Policy to the Role: Attach the policy created in the management account to the IAM role in the second account. This will grant the IAM role the necessary permissions to access S3 buckets in both accounts.

5. Configure Your Python Script: In your Python script, use the Boto3 library to connect to S3 using the access keys of the IAM user in the second account. Use theclient.list_buckets()method to list all buckets in both accounts. Iterate through the list of buckets and use the client.list_objects_v2() method to list objects in each bucket. Retrieve object metadata and ACLs (if needed) using the client.get_object() and client.get_object_acl() methods, respectively.

profile picture
Haruna Rashid
answered 5 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • Saru
    5 months ago

    Hi Rashid, Thanks for the reply. I have a query. How to attach the created in the another account to the IAM Role in the second account. The policy is not showing up in the second account.

  • Gary Mclean EXPERT
    5 months ago

    You can’t attach policies created in one account to users/roles in other accounts. You need to create a role in the management account for the user in account 2 to Assume. Attach a policy created in the management account to the role in the management account. Steps 3 and 4 need slight adjustment.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content