I want to grant an AWS Identity and Access Management (IAM) user in another account access to my Amazon Simple Storage Service (Amazon S3) bucket. Also, I want to grant cross-account access so that the user can upload objects to my Amazon S3 bucket.
Resolution
To grant an IAM user from Account A access to upload objects to an S3 bucket in Account B, follow these steps:
-
From Account A, attach a policy to the IAM user. The policy must allow the user to run the s3:PutObject and s3:PutObjectAcl actions on the bucket in Account B:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
}
]
}
Note: Before you specify an object access control list (ACL) for the upload, you must have the s3:PutObjectAcl permission. Otherwise, you get an Access Denied error when you upload an object with an ACL, such as the bucket-owner-full control ACL.
-
From Account A, get the Amazon Resource Name (ARN) of the IAM user.
-
From Account B, attach a bucket policy that grants the IAM user in Account A permission to run s3:PutObject and s3:PutObjectAcl actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999:user/UploadData"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
}
]
}
Important: For the value of Principal, be sure to enter the ARN of the IAM user in Account A.
The IAM user can now upload objects to Amazon S3.
Related information
Example 2: Bucket owner granting cross-account bucket permissions