Formatting IAM policy to grant S3 external permission
Hello, I (account #A) have given access to an external account (account #B) in an S3 bucket with the canonical ID. However, and when I try to download a file to an EC2 bucket, it's still producing the error:
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
I'm trying to follow the instructions at https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/. I think that points 2 and 3 have been taken care of (although I used the console). The issue is that for point 1, I'm starting from https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html and the JSON policy reads:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::***********:user/********"
},
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::cmaq-database/*"
}
]
}
However, the console is not accepting it claiming: 'This policy contains the following error: Has prohibited field Principal." Thanks.
The error you're getting sounds like you're trying to use a resource policy as an identity-based policy. Since these policies are attached to a principal already, the Principal
field is not required. More info here: https://aws.amazon.com/premiumsupport/knowledge-center/iam-principal-policy/
The policy above should be applied as the bucket policy for the bucket you'd like to share, and the identity-based policy for the user/role should look more like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::cmaq-database/*"
}
]
}
Relevant questions
Cross Account Copy S3 Objects From Account B to AWS KMS-encrypted bucket in Account A
asked 4 months agoHow do you setup cross-account IAM authentication in AWS MSK?
Accepted Answerasked 3 months agoSeeding of a Elasticache cluster in another account in another region
asked 8 days agoS3 bucket permissions to run CloudFormation from different accounts and create Lambda Funtions.
asked 5 months agoAccess bucket s3 from a role on another account
asked 8 months agoS3 Static Website Objects 403 Forbidden when Uploaded from Different Account
asked 24 days agoAcross Account S3 Bucket Get Access Oddities
asked 3 years agoCross-Account S3 for dags and Secrets Manager for connections
asked a year agoFormatting IAM policy to grant S3 external permission
asked a month agoS3 External Account ACL Disappears
asked 2 months ago
Hi Ed. Let me read the link to make sure I understand what you mean. Thanks.