- Newest
- Most votes
- Most comments
It’s not clear how your assuming the role in account A. However I am going to presume it’s not for this answer.
Your EC2 in account B will not automatically assume a role in in account A presuming that you are using the IAM role assigned to the server in account B.
What you will need to do is ensure the role in account B assigned to the EC2 has the appropriate access to list bucket/get object etc to the resource of the S3 bucket in account A or for testing purposes allow to all s3 resources. Also if you’re using KMS on your bucket in account A, the role in account B will also need KMS decrypt, encrypt etc.
Then In account A, on the s3 bucket policy ensure the role from account B is granted appropriate access to the bucket with the correct actions.
Any KMS key in account A used by the bucket will also need to allow the role from account B access.
This is what’s needed if you are using the IAM role assigned to an ec2 in account B. It will not by default assume a role in another account if all your trying is a aws s3 ls bucket-name
Hi,
Please, take a look at these references:
- https://repost.aws/knowledge-center/s3-instance-access-bucket
- https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
- https://repost.aws/knowledge-center/cross-account-access-iam
I'd say you should pay attention to the policy in AccountB. In the source account AccountB, you should explicitly grant access to assume the role in the destination account AccountA.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<AccountA>:role/<Role to be assumed in AccountA>"
}
}
Please, let me know if this helped.
Have a great eveninng.
Thank you both. It seems a lot was correct, I re-did from scratch, and even after testing and verifying with the get-called-identity, the issue came as I was trying to list without the --profile and the info in the config file!
Thanks to both for the help and direction
Hi,
Assuming this is your scenario,
a. Account B server --> access Account A bucket (Cross account access)
Note: IAM roles should be attached to the instance as instance profiles if it is for EC2 instances
- Create an IAM role A in Account A which has the policy to access S3 bucket in Account A (role to be assumed)
- Create an IAM role B in account B
- Add the assume role permissions for IAM role B to assume to IAM role A
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<AccountA>:role/IAM role A"
}
}
- Add trust relationship/policy for IAM role A to trust IAM role B Note: You can add more conditions to restrict trust policy and add multiple trust policies under statement key.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AccountA>:role/IAM role B"
},
"Action": "sts:AssumeRole"
}
]
}
- IAM setup is done. To access the bucket now using either CLI or SDK, you have to
- Call the assume role API from Account B server to get the temporary credentials for account A
- use the temp creds to do the S3 operations
b. Account A server --> access Account A bucket
There are 2 ways to achieve in this case
- bucket policy - can be considered when there is only limited number of buckets to maintain
- IAM policy - can be considered when you require centralized control for the buckets and also re-use the role for Cross account access
Note: The policy to access the bucket would be same in case of both the bucket policy and IAM role policy would be same.
Note:In case of IAM role, the only other change would be to add the trust policy for the EC2 instances as it will be attached to the servers /EC2 instances.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
]
}
Reference: https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
Hope this helps.
Relevant content
- Accepted Answerasked 5 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a month ago
Sorry if that 1st part wasn't clear and trying to read the examples over and over blurr's the text! Especially when there example is opposite of Account A and Account B. But to answer your 1st question "It’s not clear how your assuming the role in account A".
How I visually saw it was Account "A" has the S3 bucket, A Role that Trusted Account B that had all permissions to access that bucket. So as I saw it, Account B has an EC2 that is running. I attach a Role that has permissions to assume the role of Account A which in turn has access to that bucket so it should just work.
The only thing I didn't see/add is where you commented "Then In account A, on the s3 bucket policy ensure the role from account B is granted appropriate access to the bucket with the correct actions." I thought if I assumed a role in Account A that has access, it would appear to the bucket that I am really Account A role user so why need that policy?