Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Unable to access cross account s3

0

SO I have two aws accounts account A and Account B

I have I am user in account A with Administrator access, and additional sts:assumerole in account B

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::AccountB:role/s3-assumerole"
    }
}

For Account B, I have a role with custom trust policy for root user. This role also has administrative permission. **s3-assumerole **

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountA:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Since I have configured the credential of Iam user of Account A in my CLI, Shouldn't I be able to access some buckets in Account B.

~ **aws s3 ls s3://account-b-bucket/ **

Why am I getting the following error? An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

My Concern is should I be specifying S3, buckets anywhere?

I am already using the following bucket policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountA:user/account-A-user"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::account-b-bucket",
                "arn:aws:s3:::account-b-bucket/*"
            ]
        }
    ]
}
Topics
Management & GovernanceSecurity, Identity, & ComplianceStorage
Tags
AWS Command Line InterfaceAWS Identity and Access ManagementIAM PoliciesAmazon Simple Storage Service
Language
English
asked 10 months ago217 views
4 Answers
0
Accepted Answer

Hi,

This KC article is the one to read and follow to successfully achieve cross-account S3 access: https://repost.aws/knowledge-center/cross-account-access-s3

When followed properly, you get working cross-account access.

Best,

Didier

EXPERT
answered 10 months ago
EXPERT
reviewed 10 months ago
0

Based on the information provided, there are a few reasons why you might be experiencing an "Access Denied" error when trying to access the S3 bucket in Account B from Account A:

  1. Role assumption: It appears that you have set up cross-account access correctly with the IAM user in Account A having permission to assume the role in Account B. However, when you're running the AWS CLI command, you're not actually assuming that role. You need to explicitly assume the role before accessing the S3 bucket.

  2. S3 bucket policy: While you have a bucket policy that allows access from the IAM user in Account A, this policy is not aligned with your cross-account role setup. The bucket policy should grant access to the assumed role in Account B, not directly to the IAM user in Account A.

  3. Missing S3 permissions: The role in Account B (s3-assumerole) has administrative permissions, but you should ensure it explicitly includes S3 access permissions.

To resolve this issue:

  1. Assume the role in Account B before accessing the S3 bucket. You can do this using the AWS CLI with the following command:

    aws sts assume-role --role-arn arn:aws:iam::AccountB:role/s3-assumerole --role-session-name MySession

    This will provide temporary credentials that you can use to access resources in Account B.

  2. Update the S3 bucket policy in Account B to allow access from the assumed role:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountB:role/s3-assumerole" }, "Action": "s3:", "Resource": [ "arn:aws:s3:::account-b-bucket", "arn:aws:s3:::account-b-bucket/" ] } ] }

  3. Ensure the role in Account B (s3-assumerole) has the necessary S3 permissions. You can add an inline policy or attach an AWS managed policy that includes S3 access.

After making these changes, you should be able to assume the role and then access the S3 bucket in Account B. Remember to use the temporary credentials provided by the assume-role command when accessing the bucket.

Sources
Cannot Access S3 Access Point Cross-Account with Role | AWS re:Post
Access Denied for boto3 list_buckets operation when assuming cross account role from sagemaker notebook | AWS re:Post

answered 10 months ago
EXPERT
reviewed 10 months ago
0

Are you assuming the role in Account B before trying to access the buckets in Account A. That could be the issue.

answered 10 months ago
0

Your trying to access the bucket with 2 different methods.

  1. Role assumtion in account b
  2. Directly accessing the bucket with an IAM user in Account A with a bucket policy

You need to choose which method you are going to use. You also need to ensure that if your using KMS keys on your objects in the bucket in account b, then the user in account A/Role in Account B needs KMS:Decrypt

See Didier's Answer as this is perfect!

EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content