When I log directly in the origin account I have access to target account S3:
[cloudshell-user@ip-10-0-91-7 ~]$ aws sts get-caller-identity
{
"UserId": "AIDAxxxxxxxxJBLJ34",
"Account": "178xxxxxx057",
"Arn": "arn:aws:iam::178xxxxxx057:user/adminCustomer"
}
[cloudshell-user@ip-10-0-91-7 ~]$ aws s3 ls s3://target-account-bucket
2022-03-10 01:28:05 432 foobar.txx
However if I do it after assuming a Role in that account I can't access the target account
[cloudshell-user@ip-10-1-12-136 ~]$ aws sts get-caller-identity
{
"UserId": "AROAxxxxxxF5HI7BI:test",
"Account": "178xxxxxx057",
"Arn": "arn:aws:sts::178xxxxxx4057:assumed-role/ReadAnalysis/test"
}
[cloudshell-user@ip-10-1-12-136 ~]$ aws s3 ls s3://targer-account-bucket
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
[cloudshell-user@ip-10-1-12-136 ~]$
however I do have access to buckets in the origin account
[cloudshell-user@ip-10-1-12-136 ~]$ aws s3 ls s3://origin-account
2022-03-09 21:19:36 432 cli_script.txt
the policy in the target-account-bucket is as follows:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::178xxxxxx057:root"
},
"Action": [
"s3:*" ],
"Resource": [
"arn:aws:s3:::targer-account-bucket/*",
"arn:aws:s3:::targer-account-bucket"
]
},
there are no any explicit Deny policies that may apply
thank you for any advice you can provide