By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Unable to access cross-account S3 bucket

0

I am trying to access the umlc-daily-snapshot-prod S3 bucket located in AWS account 495612396250 from my account 186013061496. This is a cross-account scenario where I need read access to the bucket owned by another team.

When trying to list objects in the bucket from my account, I get "Access Denied" errors.

Debugging steps taken:

Confirmed IAM role and account using aws sts get-caller-identity Tried listing objects: aws s3 ls s3://umlc-daily-snapshot-prod/ Ran debug command: aws s3 ls s3://umlc-daily-snapshot-prod/ --debug

Debug findings:

IAM Role: InfoSecHostMonitoringInstanceProfileRole-DO-NOT-DELETE Account Number: 186013061496 Operation: ListObjectsV2 on umlc-daily-snapshot-prod bucket Region: us-east-1 Error: Access Denied. RequestId: G96YB6D1GPJMN62P

Things tried to enable access:

The bucket owners added my account ID and IAM role ARN to the bucket policy. Not sure they are doing it the right way, though. Please advise on any other steps needed to allow cross-account S3 access. Please let me know if any other information and details needed from my end, happy to assist.

3 Answers
0

Here is a post that talks Granting cross account access to objects in S3 about providing cross account access to objects in S3. buckets .Please review and follow the steps and let me know if that helps

AWS
answered a year ago
  • POC from the team owning the s3 bucket and associated account said they tried same procedure as on the post, but it is not working. Are there any debugging steps I can run on my end to help them? I can't see the policy that they are using, but I did suggest attaching the policy same as above answer.

    I saw I could access from my local but still not from the EC2 instance

0

Hi!

The owner of the umlc-daily-snapshot-prod bucket needs to update the bucket policy to explicitly grant access to your IAM role. The policy should include your account ID and the ARN of the IAM role you're using. Something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::186013061496:role/YourRoleName"
      },
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::umlc-daily-snapshot-prod/*",
        "arn:aws:s3:::umlc-daily-snapshot-prod"
      ]
    }
  ]
}

Sometimes, S3 Block Public Access settings can override bucket and IAM policies. Ensure these settings are not blocking your access.

The trust relationship of the IAM role in your account should allow the role to be assumed by your principal (user or service). This is particularly important if you're assuming a role for access.

answered a year ago
0

There are a few things that may still be causing the cross account access to fail :

  1. S3 Block Public Access settings on the bucket owner's account could be overriding the bucket policy and denying access. These settings should be checked.

  2. The IAM role being used does not have a trust relationship allowing it to be assumed by the principal (user or service) making the requests from the other account.

  3. By default, an S3 object belongs to the account that uploaded it. If an object was uploaded by another account, the bucket owner needs access permissions on that object through ACL grants or by assuming a role in the other account.

Could you check on this and let me know

To access your S3 bucket policy through an EC2 instance, you can use the AWS CLI or an AWS SDK:

  1. Install and configure the AWS CLI on your EC2 instance. Make sure the IAM role attached to the instance has the necessary permissions to access S3.

  2. Use the aws s3api get-bucket-policy command to retrieve the policy document for the bucket:

aws s3api get-bucket-policy --bucket my-bucket --policy-name MyPolicy

3.You can also use an AWS SDK like the AWS SDK for Python (Boto3) to programmatically retrieve the bucket policy:

import boto3

s3 = boto3.client('s3')
response = s3.get_bucket_policy(Bucket='my-bucket')
print(response['Policy']) 

4.The AWS Management Console can also be accessed from the EC2 instance to view the bucket policy on the S3 console. Attached is a post that talks about How you can grant my Amazon EC2 instance access to an Amazon S3 bucketPlease review this a well and see if it helps

AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions