- Newest
- Most votes
- Most comments
I assume you have the bucket policy and IAM Role policy. Now, we need to ensure that you have updated the Access Point policy to allow the role or user permissions (from the consumer account) to the access point. Once you’ve ensured both the bucket policy and IAM Role/User policy is correct, you can attempt a request to the bucket.
Here are some steps and references to access cross account S3 Access point:
Source Account:
- An Amazon S3 bucket with a bucket policy to grant access to the S3 Access Point.
- A cross-account role to enable a user in Account B to assume access.
- An S3 Access Point in the S3 bucket with its own policy to grant s3:GetObject and s3:ListBucket access to the user that assumes the cross-account role.
============================================================ Bucket policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<ARN of the consumer-account IAM role or user>" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "<arn:aws:s3:::bucketname /*>", "arn:aws:s3:::bucketname" ] } ] }
Please replace the values: <ARN of the consumer-account IAM role or user> and bucketname.
============================================================ Cross-Account-Role:
Create an IAM Role that has the admin access, also with trust relationships policy which should be as follows :
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<ARN of the consumer-account IAM role or user>" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Please replace the values: <ARN of the consumer-account IAM role or user>.
============================================================ Access Point policy :
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<ARN of the consumer-account IAM role or user>" }, "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": "<Access-Point-ARN>" } ] }
Please replace the values: <ARN of the consumer-account IAM role or user> and <Access-Point-ARN>.
============================================================ Consumer Account: This is the account that is using the S3 Access Point and will use cross-account access to Account A to use S3 Access Point. The IAM role/user in the other account needs to have permissions to the Bucket ARN and the Access Point ARN.
- An IAM user with console access (AmazonS3FullAccess) and policies to assume the cross-account role created in Account A.
============================================================ Assume policy :
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PermissionToAssumeAlice", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "<ARN of the source-account IAM role or user>" } ] }
Please replace the values: "<ARN of the source-account IAM role or user>.
============================================================
An inline cross-policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:PutObjectAcl", "s3:ListBucket", "s3:ListAccessPoints" ], "Resource": [ "arn:aws:s3:::bucketname /", "arn:aws:s3:::bucketname ", "<Access-Point-ARN>", "<Access-Point-ARN>/object/" ] } ] }
Please replace the values: bucketname and <Access-Point-ARN>
============================================================
Cross-account access login :
In order to access the Amazon S3 Access Point created via cross-account access. Please do the following :
- Log into the consumer account and navigate to IAM. You should find the user which you created.
- Click on the user and open the Security Credentials tab to copy the console link. Then, open a new tab in your browser and paste the link to log in.
- Login using the IAM user created (in consumer account) and Password.
- Click on the account ID, and click on with role.
- Enter the AccountID of Account A for Account and the Rolename (created in Source Account) for Role. The Display Name can be anything. Click on “switch role”.
- Go to Amazon S3 and find the bucket created. You should be able to see the bucket and download the objects from that bucket.
If you are not able to login or switch the role using the steps above, please kindly refer to our official document for troubleshooting here [2]
=============================================================== References:
[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html
[2]. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html
[4]. https://github.com/aws-samples/amazon-s3-access-points-for-cross-account-integration-samples
Relevant content
- asked a year ago
- asked 10 months ago
- asked 10 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 12 days ago
- AWS OFFICIALUpdated 3 days ago