Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

aws project learning support

0

i need a user from within aws organization account to access s3 bucket created with the root user, it must happen after the user have logged in through the sso permission set assigned to the relevant account in organization. take into account that the user as been provisioned from Azure Entra Id

Topics
Management & GovernanceStorageSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS OrganizationsAmazon S3 Access Grants
Language
English
asked 10 months ago63 views
1 Answer
0

To allow a user from within your AWS organization to access an S3 bucket created by the root user, after they've logged in through SSO with permissions from Azure Entra ID, you'll need to follow these steps:

  1. Ensure SSO is properly configured:
  • Verify that your Azure Entra ID integration with AWS SSO is working correctly
  • Make sure the user has been assigned to the appropriate AWS account in the AWS Access portal
  • Confirm that the user can successfully log in through SSO
  1. Create or update the permission set:
  • In AWS IAM Identity Center (formerly AWS SSO), modify the permission set assigned to the user
  • Add S3 permissions to the permission set that allow the necessary actions (e.g., s3:GetObject, s3:ListBucket)
  • Ensure the permission set is assigned to both the user and the AWS account containing the S3 bucket
  1. Update the S3 bucket policy:
  • Add a statement to the bucket policy that allows access from the organization using the aws:PrincipalOrgID condition key
  • Example bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetBucketLocation", "s3:ListBucket"],
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxxxxxxxxx"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-xxxxxxxxxxx"
}
}
}
]
}
  1. Important note about bucket visibility:
  • The bucket will not automatically appear in the S3 console for users in other accounts
  • The user will need to know the bucket name or be provided with a direct URL to access it
  • The ListBuckets API only shows buckets in the caller's own AWS account

By following these steps, your user will be able to access the S3 bucket after logging in through SSO with their Azure Entra ID credentials, provided they have the appropriate permission set assigned to them.
Sources
Add users in organization to S3 buckets | AWS re:Post
SSO For Extra Accounts Added under Root | AWS re:Post

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content