How the bucket owner granting cross account permission to objects it does not own?
April 25, 2024 2024-05-04 6:33How the bucket owner granting cross account permission to objects it does not own?
How the bucket owner granting cross account permission to objects it does not own?
Lawrance Granting cross-account permissions to objects in an Amazon S3 bucket involves allowing another AWS account to access resources (like objects in the bucket) that are owned by your AWS account. Here’s an example of how you can achieve this:
Let’s say you have an S3 bucket named “example-bucket” in Account A, and you want to grant access to objects in this bucket to Account B.
Account A, can use an IAM role to temporarily delegate object access cross-account to users in another AWS account, Account B.
1.Create an IAM Role in Account A:
Go to the IAM console in Account A.
Click on “Roles” in the left sidebar.
Click on “Create role”.
Choose the type of trusted entity. In this case, select “Another AWS account”.
Enter the Account ID of Account B
Attach a policy to the role that allows access to the desired S3 bucket in Account A. For example, you can use the AmazonS3ReadOnlyAccess managed policy if you want to grant read-only access.
Complete the role creation process.
2.Bucket Creation in Account A:
Go to the S3 console in Account A.
Click on “Create bucket”.
Enter a unique bucket name and select the region.
Configure bucket properties and permissions.
Under “Manage system permissions”, choose “Grant Amazon S3 Log Delivery group write access to this bucket” if you want to enable logging.
Under “Set permissions”, choose “Grant access to bucket ACLs”.
Click “Create bucket”.
3. Grant Access to the IAM Role:
Go to the bucket’s permissions in the S3 console.
Click on “Bucket Policy”.
In Account A, create an IAM policy that grants the necessary permissions for accessing objects in the S3 bucket. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::example-bucket/*",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_B_ID:root"
}
}
]
}Replace ACCOUNT_B_ID with the AWS account ID of Account B.
4. Establish Trust Relationship with Account B:
The IAM role needs to trust Account B to assume this role. This is done by adding a trust policy to the IAM role. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B-ID:root"
},
"Action": "sts:AssumeRole"
}
]
}Replace ACCOUNT-B-ID with the AWS account ID of Account B.
5. Assume the IAM Role from Account B:
Users in Account B can now assume the IAM role created in Account A to access the S3 bucket temporarily. They can do this via AWS CLI or SDKs. Here’s an example assuming the role using AWS CLI:
aws sts assume-role --role-arn arn:aws:iam::ACCOUNT-A-ID:role/RoleName --role-session-name "CrossAccountSession"Replace ACCOUNT-A-ID with the AWS account ID of Account A and RoleName with the name of the IAM role.
6. Attach Policy to IAM User or Role:
In Account A, attach this IAM policy to an IAM user or role. This user or role will act as the entity granting access to Account B.
7. Verify Access:
Once the users in Account B have assumed the IAM role, they receive temporary security credentials that they can use to access the S3 bucket in Account A. They can then perform S3 operations like put, get, list, etc., depending on the permissions granted to the IAM role.
You can use the aws s3api get-object command to retrieve an object from the S3 bucket in Account A.
For example:
aws s3api get-object --bucket example-bucket --key my-object.txt ./my-object.txtThis command downloads my-object.txt from the S3 bucket example-bucket to the local file system.
By following these steps, you’ve granted cross-account permissions to objects in an S3 bucket to an AWS account that doesn’t own the bucket.
