- Newest
- Most votes
- Most comments
Hello, I hope you are well. If I have understood well, apparently your question is the same addressed on following link:
https://repost.aws/knowledge-center/cross-account-access-s3
Please, let me know in case this is accurate to your question or if you already have read the content shared.
Regards.
This is not the answer to my question. In my question I explained that I can get cross-account access working with a user and a role for an S3 bucket. This is what is addressed in the article you reference and I can get that working no problem. The issue is specifically with S3 Access Points (not the bucket). I can connect to them cross-account with a user, but not with a role.
Hello,
Greeting from AWS!
I understand that you are receiving Access denied error while attempting to access cross account s3 bucket through access points using an IAM role.
To begin with, I have replicated this issue in my lab environment with the below policies and I was able to make a successful request:
Account A:
Account A IAM user policy:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-B:role/RoleName”
}
}
Note: Here, please replace the IAM ARN with your Account B role ARN.
========================================
Account B:
Account B IAM role Trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTA-ID:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
——————
Account B IAM Role Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::BucketName”
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::BucketName/*”
}
]
}
————————
S3 Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::BucketName",
"arn:aws:s3:::BucketName/*"
],
"Condition": {
"StringEquals": {
"s3:DataAccessPointAccount": "123456789012"
}
}
}
]
}
———————
Access Point policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/RoleName”
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point/object/*"
}
]
}
[+] https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-usage-examples.html#get-object-ap
[+] https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html
[+] Assume Role - https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html#switch-cli-tutorial_cross-account-with-roles
That said, if incase the issue still persists, I request you to open a support case for further troubleshooting.
Sania,
Thanks for your reply, but this is a workaround to my issue. I already have numerous workarounds. What I would like is for AWS to acknowledge that this is a bug and that it is on a backlog somewhere to be fixed. If I have an EC2 Instance, Lambda function, or SSO user, they should not have to assume a role in another account to access a bucket cross-account. This is confirmed by the fact that it works with a user and not with a role and with a bucket, but not with an access point. It would be tedious to have to re-program my applications or teach my SSO users to assume a role in Account B just to access an access point there. The better workaround would be to create an access point in account A they could use, but this is still just a workaround. I have already submitted a support case, but they are telling me they cannot investigate since they don't have access to both accounts. I have told them to give me a user or role ARN and I will set up policy to allow them to access the access point so they can troubleshoot. I have not heard back yet. If you can replicate this on your end (the failure and not the workaround), it would be helpful if you could provide those details to support. I would send you the case number if I saw a way to message your privately.
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
What are the access permissions attached to the role? Are those different than what is attached to the IAM user?
No, they are the same or were the same, now they are even more permissive.
Before it was just
arn:aws:s3:us-west-2:***AccountB***:accesspoint/*
. Policy works fine for user, but not for role when using an access point.