By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Accessing S3 across accounts I can do it if logged in the origin account but not if assuming a role from another account

0

When I log directly in the origin account I have access to target account S3:

[cloudshell-user@ip-10-0-91-7 ~]$ aws sts get-caller-identity { "UserId": "AIDAxxxxxxxxJBLJ34", "Account": "178xxxxxx057", "Arn": "arn:aws:iam::178xxxxxx057:user/adminCustomer" }

[cloudshell-user@ip-10-0-91-7 ~]$ aws s3 ls s3://target-account-bucket 2022-03-10 01:28:05 432 foobar.txx

However if I do it after assuming a Role in that account I can't access the target account

[cloudshell-user@ip-10-1-12-136 ~]$ aws sts get-caller-identity { "UserId": "AROAxxxxxxF5HI7BI:test", "Account": "178xxxxxx057", "Arn": "arn:aws:sts::178xxxxxx4057:assumed-role/ReadAnalysis/test" }

[cloudshell-user@ip-10-1-12-136 ~]$ aws s3 ls s3://targer-account-bucket

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied [cloudshell-user@ip-10-1-12-136 ~]$

however I do have access to buckets in the origin account

[cloudshell-user@ip-10-1-12-136 ~]$ aws s3 ls s3://origin-account

2022-03-09 21:19:36 432 cli_script.txt

the policy in the target-account-bucket is as follows:

  {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::178xxxxxx057:root"
        },
        "Action": [
            "s3:*"            ],
        "Resource": [
            "arn:aws:s3:::targer-account-bucket/*",
            "arn:aws:s3:::targer-account-bucket"
        ]
    },

there are no any explicit Deny policies that may apply

thank you for any advice you can provide

1 Answer
0
Accepted Answer

Make sure that the policy assigned to the role allows access to the bucket. See: Cross-account policy evaluation logic.

"The principal's identity-based policy must allow the requested access to the resource in the trusting service."

profile pictureAWS
EXPERT
answered 3 years ago
profile picture
EXPERT
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions