- Newest
- Most votes
- Most comments
Here is a post that talks Granting cross account access to objects in S3 about providing cross account access to objects in S3. buckets .Please review and follow the steps and let me know if that helps
Hi!
The owner of the umlc-daily-snapshot-prod bucket needs to update the bucket policy to explicitly grant access to your IAM role. The policy should include your account ID and the ARN of the IAM role you're using. Something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::186013061496:role/YourRoleName"
},
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::umlc-daily-snapshot-prod/*",
"arn:aws:s3:::umlc-daily-snapshot-prod"
]
}
]
}
Sometimes, S3 Block Public Access settings can override bucket and IAM policies. Ensure these settings are not blocking your access.
The trust relationship of the IAM role in your account should allow the role to be assumed by your principal (user or service). This is particularly important if you're assuming a role for access.
There are a few things that may still be causing the cross account access to fail :
-
S3 Block Public Access settings on the bucket owner's account could be overriding the bucket policy and denying access. These settings should be checked.
-
The IAM role being used does not have a trust relationship allowing it to be assumed by the principal (user or service) making the requests from the other account.
-
By default, an S3 object belongs to the account that uploaded it. If an object was uploaded by another account, the bucket owner needs access permissions on that object through ACL grants or by assuming a role in the other account.
Could you check on this and let me know
To access your S3 bucket policy through an EC2 instance, you can use the AWS CLI or an AWS SDK:
-
Install and configure the AWS CLI on your EC2 instance. Make sure the IAM role attached to the instance has the necessary permissions to access S3.
-
Use the aws s3api get-bucket-policy command to retrieve the policy document for the bucket:
aws s3api get-bucket-policy --bucket my-bucket --policy-name MyPolicy
3.You can also use an AWS SDK like the AWS SDK for Python (Boto3) to programmatically retrieve the bucket policy:
import boto3
s3 = boto3.client('s3')
response = s3.get_bucket_policy(Bucket='my-bucket')
print(response['Policy'])
4.The AWS Management Console can also be accessed from the EC2 instance to view the bucket policy on the S3 console. Attached is a post that talks about How you can grant my Amazon EC2 instance access to an Amazon S3 bucketPlease review this a well and see if it helps
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
POC from the team owning the s3 bucket and associated account said they tried same procedure as on the post, but it is not working. Are there any debugging steps I can run on my end to help them? I can't see the policy that they are using, but I did suggest attaching the policy same as above answer.
I saw I could access from my local but still not from the EC2 instance