Cross Account Access to s3 via role problem

It’s not clear how your assuming the role in account A. However I am going to presume it’s not for this answer.

Your EC2 in account B will not automatically assume a role in in account A presuming that you are using the IAM role assigned to the server in account B.

What you will need to do is ensure the role in account B assigned to the EC2 has the appropriate access to list bucket/get object etc to the resource of the S3 bucket in account A or for testing purposes allow to all s3 resources. Also if you’re using KMS on your bucket in account A, the role in account B will also need KMS decrypt, encrypt etc.

Then In account A, on the s3 bucket policy ensure the role from account B is granted appropriate access to the bucket with the correct actions.

Any KMS key in account A used by the bucket will also need to allow the role from account B access.

This is what’s needed if you are using the IAM role assigned to an ec2 in account B. It will not by default assume a role in another account if all your trying is a aws s3 ls bucket-name

Thank you both. It seems a lot was correct, I re-did from scratch, and even after testing and verifying with the get-called-identity, the issue came as I was trying to list without the --profile and the info in the config file!

Thanks to both for the help and direction

Hi,

Assuming this is your scenario,

a. Account B server --> access Account A bucket (Cross account access)

Note: IAM roles should be attached to the instance as instance profiles if it is for EC2 instances

1. Create an IAM role A in Account A which has the policy to access S3 bucket in Account A (role to be assumed)
2. Create an IAM role B in account B
3. Add the assume role permissions for IAM role B to assume to IAM role A

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::<AccountA>:role/IAM role A"
  }
}

4. Add trust relationship/policy for IAM role A to trust IAM role B Note: You can add more conditions to restrict trust policy and add multiple trust policies under statement key.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AccountA>:role/IAM role B"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

5. IAM setup is done. To access the bucket now using either CLI or SDK, you have to

• Call the assume role API from Account B server to get the temporary credentials for account A
• use the temp creds to do the S3 operations

b. Account A server --> access Account A bucket

There are 2 ways to achieve in this case

• bucket policy - can be considered when there is only limited number of buckets to maintain
• IAM policy - can be considered when you require centralized control for the buckets and also re-use the role for Cross account access

Note: The policy to access the bucket would be same in case of both the bucket policy and IAM role policy would be same.

Note:In case of IAM role, the only other change would be to add the trust policy for the EC2 instances as it will be attached to the servers /EC2 instances.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
]
}

Reference: https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

Hope this helps.