By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cross account s3 bucket creation?

0
  • I am able to create a policy with permission that allows S3:CreateBucket from an external account (A) from my account (B).
  • I am able to associate this policy with a role.

At this point I assume A has assumed the role I created and should be allowed to create bucket in B's account. If I browse the S3 console and hit create bucket - I have no option to specify where to create bucket (under which account)

question: Is it possible to create bucket in external account? If yes, what is the missing piece in above process?

Topics
Security, Identity, & Compliance
Tags
IAM Policies
Language
English
JJ
asked 9 months ago249 views
3 Answers
4
Accepted Answer

If you want to create s3 bucket from account A in Account B, then through role chaining, you can do that. Account A should have access to assume Account B role, which has permission to create s3 bucket. It's not like, Account A role would create the bucket in Account B, but Account role first assume account B role then with that, it'll create bucket in account B.

Please refer this documentation, which explains very well in detail about cross account assume role setup and then you can create the bucket through CLI.

Here is how it'd be done:

  1. Account A role should have permission to assume Account B role

  2. Account B role should have permission to create s3 bucket in account B:

  3. Account B role should have trust relationship for account A role

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AccountA>:role/<RoleName>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

If Roles are SAML Federated/Web Identity based then go through this blogpost, which covers trust relationship examples.

Edit:

Here is how you would do:

Step-1: Account A:

   aws sts assume-role --role-arn arn:aws:iam::AccountB:role/AccountB_Role --role-session-name creates3bucket --profile AccountA

Step-2: Import the credentials to perform the action in AccountB

  - export AWS_ACCESS_KEY_ID="Returned Access Key Id from first command"

  - export AWS_SECRET_ACCESS_KEY="Returned Access Key Id from first command"

  - export AWS_SESSION_TOKEN="Returned session token from first command"

Step-3: Create bucket

  aws s3api create-bucket --bucket <bucket-name>

This would create the bucket in AccountB. Please refer Using temporary security credentials with the AWS CLI section at AWS Documentation

Hope you find this useful.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 9 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 9 months ago
  • secondabhi_aws EXPERT
    9 months ago

    Do you have any additional questions, happy to help.

  • JJ
    9 months ago

    In this case - the aws access key has to belong to account B or A?

  • secondabhi_aws EXPERT
    9 months ago

    Here is how you would do:

    Step-1: Account A: aws sts assume-role --role-arn arn:aws:iam::AccountB:role/AccountB_Role --role-session-name creates3bucket --profile AccountA

    Step-2: Import the credentials to perform the action in AccountB

    • export AWS_ACCESS_KEY_ID="Returned Access Key Id from first command"
    • export AWS_SECRET_ACCESS_KEY="Returned Access Key Id from first command"
    • export AWS_SESSION_TOKEN="Returned session token from first command"

    Step-3: aws s3api create-bucket --bucket <bucket-name>

    This would create the bucket in AccountB. Please refer Using temporary security credentials with the AWS CLI section at AWS Documentation.

    I've added these steps in my answers Edit section as well.

0

In the console you will only be able to create a bucket within the account of the role you are consuming.

You can’t choose to create bucket in an other account.

You’d have to assume a role in the account where you wish to create the bucket in.

profile picture
EXPERT
Gary Mclean
answered 9 months ago
0

The S3 bucket creation process is always performed within the account where the AWS credentials are sourced. It means when you're logged into account A, you can only create a bucket in account A, not in account B. Even when you assume a role in account B, the bucket will be created in account A.

In order to create a bucket in account B, you need to do one of the following:

  • Assume the IAM role in account B that has the necessary permissions and use those credentials to create the bucket.
  • Create the bucket in account A and then migrate it to account B. This process includes creating a bucket in account A, copying all of the data to a new bucket in account B, and then deleting the bucket from account A.
  • If you want to create a bucket in account B from account A, you need to have account B's credentials available in account A. This is not a recommended practice due to security reasons.

When it comes to AWS services, always remember that resource creation and management are performed under the context of the account that owns the IAM credentials being used.

Your current process of granting bucket creation permissions to a role in Account B is fine but it's missing the step where you have to actually switch to Account B by assuming the role using the AWS Security Token Service (AWS STS) AssumeRole API to receive temporary credentials for that role, then using these temporary credentials to make the API call to create the bucket.

Please note that IAM policies and roles only govern permissions, they do not implicitly change the context of your operations between AWS accounts.

profile picture
Ercan -flightlesstux-
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content