Accessing cross account s3 with code

Question

we have a java application running on ec2 and frontend hosted on s3 and we need to access the s3 bucket in another account and i am able to access the bucket from AWS cli of that instance where the java app is running as we have configured the cross region access by the below command we can able to access the s3bucket123 which is in another account 
aws s3 ls s3bucket123
But when we are trying to access it from the code we are getting the 401 error and the 
resoponse message as " unauthorized (service: null: status code 401;, Error Code Null: Request ID : null, 
Stack Trace: com.amazonaws.internal.EC2CredentialsUtils.handleErrorResponse(EC2credentialsutils.java:156)'

Answer

Hi,

that the S3 bucket in the other AWS account has a bucket policy allowing access from the destination bucket in the AWS account. The bucket policy should specify the appropriate permissions and conditions for cross-account access.

you can use the below policy.

```
{
    "Version": "2008-10-17",
    "Id": "S3-Console-Replication-Policy",
    "Statement": [
        {
            "Sid": "S3ReplicationPolicy",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::SourceBucketAWSAccountID:root"
            },
            "Action": [
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning",
                "s3:ReplicateObject",
                "s3:ReplicateDelete"
            ],
            "Resource": [
                "arn:aws:s3:::DestinationBucketName",
                "arn:aws:s3:::DestinationBucketName/*"
            ]
        }
    ]
}
```

Answer

Hlo,

1.**AWS SDK Configuration:** Ensure that your Java application is correctly configured with the AWS SDK and the appropriate credentials to access the S3 bucket. You need to provide valid AWS access credentials (access key ID and secret access key) with the necessary permissions to access the S3 bucket in the other AWS account.

2.**Cross-Account Access Permissions:** Make sure that the IAM role or IAM user associated with the EC2 instance has the necessary permissions to access the S3 bucket in the other AWS account. You should have a cross-account IAM role with a trust relationship allowing the EC2 instance's AWS account to assume the role in the other AWS account.

3****.IAM Policies:**** Check the IAM policies attached to the IAM role or IAM user used by your Java application. Ensure that the policies include the necessary permissions (e.g., s3:GetObject, s3:ListBucket) for accessing the S3 bucket in the other account.

**4**.Bucket Policy:** **Additionally, ensure that the S3 bucket in the other AWS account has a bucket policy allowing access from the IAM role or IAM user in the EC2 instance's AWS account. The bucket policy should specify the appropriate permissions and conditions for cross-account access.

5.**Credentials Provider Chain:** Verify that the AWS SDK client used in your Java application is configured with the correct credentials provider chain. The credentials provider chain should include the EC2 instance metadata service (for EC2 instance roles) or explicit credentials if you're using IAM user credentials.

6.**Network Configuration**: Ensure that the EC2 instance has network connectivity to reach the S3 service endpoint in the other AWS account. Check security groups, network ACLs, and VPC route tables to ensure that outbound traffic to S3 is allowed.

Answer

Moving the EC2 instance from a public subnet to a private subnet could impact its ability to access resources outside of the VPC, including S3 buckets in another AWS account. Here are a few considerations and steps you can take to troubleshoot and resolve the issue:

**Network Configuration:**
Check the routing configuration in the private subnet's route table. Ensure that there is a route to the internet gateway or NAT gateway for outbound traffic.

Verify that the network access control lists (NACLs) associated with the private subnet allow outbound traffic to the S3 service endpoint (s3.amazonaws.com) on port 443.

Ensure that the security group associated with the EC2 instance allows outbound traffic to the S3 service endpoint (port 443) and inbound traffic from the S3 service endpoint (if necessary).

**AWS SDK Configuration:**
Double-check the AWS SDK configuration in your Java application running on the EC2 instance. Ensure that the correct AWS region and credentials provider are configured.

If your application is using the default credentials provider chain, ensure that the EC2 instance has an IAM role attached with permissions to access the S3 bucket in the other AWS account.

**IAM Role Permissions:**

Review the IAM role attached to the EC2 instance and verify that it has the necessary permissions to assume the cross-account IAM role in the other AWS account.
Check the trust relationship policy of the cross-account IAM role in the other AWS account to ensure that it allows the EC2 instance's IAM role to assume the role.

**Bucket Policy:**
Confirm that the bucket policy on the S3 bucket in the other AWS account allows access from the IAM role or IAM user associated with the EC2 instance's IAM role.

Check for any conditions or restrictions in the bucket policy that may be preventing access.
AWS CLI vs. Code:

Compare the AWS CLI command (aws s3 ls ) that successfully accesses the S3 bucket with the code in your Java application. Ensure that they are using the same AWS credentials and configuration.

Answer

Hello.

Are you trying to access S3 by issuing temporary credentials as described in the documentation below?  
I haven't seen your code, so I don't know the details, but I think you can access S3 in another account by using temporary credentials as described in the document below.  
https://docs.aws.amazon.com/AmazonS3/latest/userguide/AuthUsingTempSessionToken.html

Accessing cross account s3 with code

Relevant content