By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access bucket s3 from a role on another account

0

Hi all,

I trying to set up the environment with bucket s3 to be accessed via other account.

The bucket s3 was created on account(Account A) called bucket01 and is the access is from another account(Account B)

On the account B, has created the role called role01.

I defined the follow policy on the bucket s3 of account A.

{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Sid": "VisualEditor0",  
            "Effect": "Allow",  
            "Principal": {  
                "AWS": \[  
                    "arn:aws:iam::<id other account B>:role/role01"  
                ]  
            },  
            "Action": "s3:*",  
            "Resource": "arn:aws:s3:::bucket01/*"  
        }  
    ]  
}

I created the role called role01 with follow policy.

{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Sid": "VisualEditor0",  
            "Effect": "Allow",  
            "Action": \[  
                "s3:*"  
            ],  
            "Resource": \[  
                "arn:aws:s3:::bucket01"  
            ]  
        }  
    ]  
}

Associate this role to a server running Linux and from that server execute the aws s3 ls command. Does not work

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Let me know where i'm going wrong.

Thanks.

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
ricardobarbosams
asked 3 years ago1079 views
2 Answers
0

Solved via https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/?nc1=h_ls

ricardobarbosams
answered 3 years ago
0

Hello,

Greetings of the day,

I understand that you are trying to access s3 bucket in account A from the IAM role in account B and facing access denied error while running 'aws s3 ls' command via CLI.

Please note that s3 ls is a bucket level operation and hence we need to provide bucket level permission to the IAM role in both IAM policy and Bucket policy as this is a cross account scenario.

Looking into the policies which you have shared, I can see that IAM policy is granting bucket level permission on the s3 bucket. However, the bucket policy is granting only object level permission to the IAM role. When the request to s3 bucket is made from a different account IAM role, both the IAM policy and the bucket policy should grant the permissions.

As the bucket policy was not allowing the IAM role to perform bucket level operations, you were facing access denied error. In order to resolve the access denied error, the bucket policy should allow the IAM role to perform bucket level operations.

I am happy that you were able to resolve this issue now by following AWS the documentation. Let us know if you still face any issue.

Thank you!!

AWS
AWS-User-2928704
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content