Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cannot Access S3 Access Point Cross-Account with Role

0

I am trying to set up cross-account access with a role from Account A (one with role to assume) to Account B (one with S3 bucket and access point). I can access both the bucket and the access point cross-account with a user. I can access the bucket cross-account with a role, but I cannot access the S3 access point cross-account with a role. I have reconfirmed the policies many times and even tried to explicitly grant the role access instead of delegating access to Account A to provide that access (which works for the S3 Bucket, but not for the S3 Access Point. I think this is a bug.

Here is the AssumeRole trust policy which I know works cause I can assume it and access the bucket with it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::***AccountA***:user/user.name"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Here is the Access Point policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::***AccountA***:role/TestRole",
                    "arn:aws:iam::***AccountA***:root",
                    "arn:aws:sts::***AccountA***:assumed-role/TestRole/session-testrole"
                ]
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:us-west-2:***AccountB***:accesspoint/monitoring/object/error-reports/*",
                "arn:aws:s3:us-west-2:***AccountB***:accesspoint/monitoring/object/health-checks/*"
            ]
        }
    ]
}

For the bucket, I only need the Principal of "arn:aws:iam::***AccountA***:root" but I am showing it with the additional principals cause it still doesn't work.

Here is the bucket policy which again works fine if accessing cross-account with a user instead of a role (I would not have such an open policy normally, but opened it up more for testing):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::testaccesspoint***/*",
            "Condition": {
                "StringEquals": {
                    "s3:DataAccessPointAccount": "***AccountB***"
                }
            }
        }
    ]
}

Here is the Access Denied message in CloudTrail (bucket access succeeds to a similarly configured bucket, it is only the access point that fails and only for cross-account roles and not for users):

{
  "eventVersion": "1.09",
  "userIdentity": {
    "type": "AWSAccount",
    "principalId": "AROA*****34RK2I:session-testrole",
    "accountId": "***AccountA***"
  },
  "eventTime": "2023-10-27T08:40:40Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "GetObject",
  "awsRegion": "us-west-2",
  "sourceIPAddress": "##.##.##.##",
  "userAgent": "[aws-cli/1.29.62 md/Botocore#1.31.62 ua/2.0 os/linux#5.15.90.1-microsoft-standard-WSL2 md/arch#x86_64 lang/python#3.8.10 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.62]",
  "errorCode": "AccessDenied",
  "errorMessage": "Access Denied",
  "requestParameters": {
    "bucketName": "testaccesspoint***",
    "Host": "monitoring-x74pp1mjp***m3gusw2a-s3alias.s3.us-west-2.amazonaws.com",
    "key": "health-checks/1_1643823007.json"
  },
  "responseElements": null,
  "additionalEventData": {
    "SignatureVersion": "SigV4",
    "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
    "bytesTransferredIn": 0,
    "AuthenticationMethod": "AuthHeader",
    "x-amz-id-2": "8/C7m9qpsbR+v0iomUgIK/Mq4DrfIJHqwRPzYCiAxYvwjIM1kXSJelGJ7gMiDkTEYAEWXYmYKCI=",
    "bytesTransferredOut": 243
  },
  "requestID": "NA6BK48D5197GEXT",
  "eventID": "98e32249-2c11-483b-ba5a-77372d3dea82",
  "readOnly": true,
  "resources": [
    {
      "type": "AWS::S3::Object",
      "ARN": "arn:aws:s3:::testaccesspoint***/health-checks/1_1643823007.json"
    },
    {
      "accountId": "***AccountB***",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::testaccesspoint***"
    },
    {
      "accountId": "***AccountB***",
      "type": "AWS::S3::AccessPoint",
      "ARN": "arn:aws:s3:us-west-2:***AccountB***:accesspoint/monitoring"
    }
  ],
  "eventType": "AwsApiCall",
  "managementEvent": false,
  "recipientAccountId": "***AccountB***",
  "sharedEventID": "bf1c2541-ec66-4fb7-9b0d-4ed03006f3e8",
  "eventCategory": "Data",
  "tlsDetails": {
    "tlsVersion": "TLSv1.2",
    "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
    "clientProvidedHostHeader": "monitoring-x74pp1mjp********m3gusw2a-s3alias.s3.us-west-2.amazonaws.com"
  }
}
  • Marcus Rosen
    2 years ago

    What are the access permissions attached to the role? Are those different than what is attached to the IAM user?

  • hsec-sans
    2 years ago

    No, they are the same or were the same, now they are even more permissive.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:GetObject",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:us-west-2:***AccountB***:accesspoint/*",
                "arn:aws:s3:us-west-2:***AccountB***:accesspoint/monitoring/*",
                "arn:aws:s3:us-west-2:***AccountB***:accesspoint/monitoring/object/*"
            ],
            "Sid": ""
        }
    ]
}

    Before it was just arn:aws:s3:us-west-2:***AccountB***:accesspoint/*. Policy works fine for user, but not for role when using an access point.

Topics
StorageSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAmazon Simple Storage Service
Language
English
asked 2 years ago1.1K views
3 Answers
1

Hello, I hope you are well. If I have understood well, apparently your question is the same addressed on following link:

https://repost.aws/knowledge-center/cross-account-access-s3

Please, let me know in case this is accurate to your question or if you already have read the content shared.

Regards.

AWS
answered 2 years ago
  • hsec-sans
    2 years ago

    This is not the answer to my question. In my question I explained that I can get cross-account access working with a user and a role for an S3 bucket. This is what is addressed in the article you reference and I can get that working no problem. The issue is specifically with S3 Access Points (not the bucket). I can connect to them cross-account with a user, but not with a role.

0

Hello,

Greeting from AWS!

I understand that you are receiving Access denied error while attempting to access cross account s3 bucket through access points using an IAM role.

To begin with, I have replicated this issue in my lab environment with the below policies and I was able to make a successful request:

Account A:

Account A IAM user policy:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam::ACCOUNT-B:role/RoleName”
    }
}

Note: Here, please replace the IAM ARN with your Account B role ARN.

========================================

Account B:

Account B IAM role Trust policy:

{
	"Version": "2012-10-17",
	"Statement": [
	{
		"Effect": "Allow",
		"Principal": {
			"AWS": "arn:aws:iam::ACCOUNTA-ID:root"
		},
		"Action": "sts:AssumeRole",
		"Condition": {}
	}
]
}

——————

Account B IAM Role Policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "s3:ListAllMyBuckets",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Resource": "arn:aws:s3:::BucketName”
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject"
        ],
        "Resource": "arn:aws:s3:::BucketName/*”
    }
]
}

————————

S3 Bucket Policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": [
            "arn:aws:s3:::BucketName",
            "arn:aws:s3:::BucketName/*"
        ],
        "Condition": {
            "StringEquals": {
                "s3:DataAccessPointAccount": "123456789012"
            }
        }
    }
]
}

———————

Access Point policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789012:role/RoleName”
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point/object/*"
    }
]
}

[+] https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-usage-examples.html#get-object-ap
[+] https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html
[+] Assume Role - https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html#switch-cli-tutorial_cross-account-with-roles

That said, if incase the issue still persists, I request you to open a support case for further troubleshooting.

AWS
SUPPORT ENGINEER
answered 2 years ago
  • hsec-sans
    2 years ago

    Sania,

    Thanks for your reply, but this is a workaround to my issue. I already have numerous workarounds. What I would like is for AWS to acknowledge that this is a bug and that it is on a backlog somewhere to be fixed. If I have an EC2 Instance, Lambda function, or SSO user, they should not have to assume a role in another account to access a bucket cross-account. This is confirmed by the fact that it works with a user and not with a role and with a bucket, but not with an access point. It would be tedious to have to re-program my applications or teach my SSO users to assume a role in Account B just to access an access point there. The better workaround would be to create an access point in account A they could use, but this is still just a workaround. I have already submitted a support case, but they are telling me they cannot investigate since they don't have access to both accounts. I have told them to give me a user or role ARN and I will set up policy to allow them to access the access point so they can troubleshoot. I have not heard back yet. If you can replicate this on your end (the failure and not the workaround), it would be helpful if you could provide those details to support. I would send you the case number if I saw a way to message your privately.

0

I assume you have the bucket policy and IAM Role policy. Now, we need to ensure that you have updated the Access Point policy to allow the role or user permissions (from the consumer account) to the access point. Once you’ve ensured both the bucket policy and IAM Role/User policy is correct, you can attempt a request to the bucket.

Here are some steps and references to access cross account S3 Access point:

Source Account:

  1. An Amazon S3 bucket with a bucket policy to grant access to the S3 Access Point.
  2. A cross-account role to enable a user in Account B to assume access.
  3. An S3 Access Point in the S3 bucket with its own policy to grant s3:GetObject and s3:ListBucket access to the user that assumes the cross-account role.

============================================================ Bucket policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<ARN of the consumer-account IAM role or user>" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "<arn:aws:s3:::bucketname /*>", "arn:aws:s3:::bucketname" ] } ] }

Please replace the values: <ARN of the consumer-account IAM role or user> and bucketname.

============================================================ Cross-Account-Role:

Create an IAM Role that has the admin access, also with trust relationships policy which should be as follows :

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<ARN of the consumer-account IAM role or user>" }, "Action": "sts:AssumeRole", "Condition": {} } ] }

Please replace the values: <ARN of the consumer-account IAM role or user>.

============================================================ Access Point policy :

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<ARN of the consumer-account IAM role or user>" }, "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": "<Access-Point-ARN>" } ] }

Please replace the values: <ARN of the consumer-account IAM role or user> and <Access-Point-ARN>.

============================================================ Consumer Account: This is the account that is using the S3 Access Point and will use cross-account access to Account A to use S3 Access Point. The IAM role/user in the other account needs to have permissions to the Bucket ARN and the Access Point ARN.

  1. An IAM user with console access (AmazonS3FullAccess) and policies to assume the cross-account role created in Account A.

============================================================ Assume policy :

{ "Version": "2012-10-17", "Statement": [ { "Sid": "PermissionToAssumeAlice", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "<ARN of the source-account IAM role or user>" } ] }

Please replace the values: "<ARN of the source-account IAM role or user>.

============================================================

An inline cross-policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:ListBucket", "s3:ListAccessPoints" ], "Resource": [ "arn:aws:s3:::bucketname /", "arn:aws:s3:::bucketname ", "<Access-Point-ARN>", "<Access-Point-ARN>/object/" ] } ] }

Please replace the values: bucketname and <Access-Point-ARN>

============================================================

Cross-account access login :

In order to access the Amazon S3 Access Point created via cross-account access. Please do the following :

  1. Log into the consumer account and navigate to IAM. You should find the user which you created.
  2. Click on the user and open the Security Credentials tab to copy the console link. Then, open a new tab in your browser and paste the link to log in.
  3. Login using the IAM user created (in consumer account) and Password.
  4. Click on the account ID, and click on with role.
  5. Enter the AccountID of Account A for Account and the Rolename (created in Source Account) for Role. The Display Name can be anything. Click on “switch role”.
  6. Go to Amazon S3 and find the bucket created. You should be able to see the bucket and download the objects from that bucket.

If you are not able to login or switch the role using the steps above, please kindly refer to our official document for troubleshooting here [2]

=============================================================== References:

[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html

[2]. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html

[3]. https://aws.amazon.com/blogs/storage/setting-up-cross-account-amazon-s3-access-with-s3-access-points/

[4]. https://github.com/aws-samples/amazon-s3-access-points-for-cross-account-integration-samples

AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content