How do I set up cross-account access from Bedrock to an Amazon S3 bucket in another account?

Question

I have setup a lambda using the invokeModel API in Account A but I'm trying to pass Bedrock URIs that live in a different account Account B. I keep getting this error:
```
Your account does not have access to the specified S3 resource. (Service: BedrockRuntime, Status Code: 400, ...) 
```
I'm able to getObjects from the lambda code itself but when I use the InvokeModel API is when I get the Error. I have Bucket Key disabled for simplicity, this is the bucket policy:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowLambdaCrossAccountAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNT_A:role/lambda_execution_role"
            },
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::account_b_bucket_name",
                "arn:aws:s3:::account_b_bucket_name/*"
            ]
        },
        {
            "Sid": "AllowBedrockAccess",
            "Effect": "Allow",
            "Principal": {
                "Service": "bedrock.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::account_b_bucket_name/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "ACCOUNT_A"
                }
            }
        }
    ]
}
```

This is the lambda execution role:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "crossAccountS3Access",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::account_b_bucket_name",
                "arn:aws:s3:::account_b_bucket_name/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DecryptKMSKey",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:us-east-1:ACCOUNT_B:key/*"
        }
    ]
}
```

Sakshi M · Answer

To enable cross-account S3 bucket access for Amazon Bedrock, you need to configure permissions in both accounts. Here's how to set it up:

In the bucket owner's account, you should have a bucket policy that grants access to users in the bucket owner's account, including ListBucket and GetObject permissions. The policy should specify the appropriate role ARN and bucket resources.

> I would request you to check if you have given permissions to the correct lambda execution role.

In the user's AWS account, create an import execution role policy that specifies the bucket owner's account ID using aws:ResourceAccount condition and includes necessary S3 permissions.

If the S3 bucket is encrypted with a custom AWS KMS key, additional steps are required: 
- In the bucket owner's account, create a resource policy allowing the user's account import role to perform kms:Decrypt and kms:DescribeKey actions  
- In the user's account, update the import execution role policy to include permissions for the specific KMS key

You can refer below documents in reference for troubleshooting the error :

References :
===========
[1] Cross-account access to Amazon S3 bucket for custom model import jobs - https://docs.aws.amazon.com/bedrock/latest/userguide/cross-account-access-cmi.html
[2] How to configure cross-account model deployment using Amazon Bedrock Custom Model Import - https://aws.amazon.com/blogs/machine-learning/how-to-configure-cross-account-model-deployment-using-amazon-bedrock-custom-model-import/?nc2=h_mo-lang

How do I set up cross-account access from Bedrock to an Amazon S3 bucket in another account?

References :

Relevant content