Allow one instance in another account write access to s3 bucket but all other instances just ReadOnly.

0

In account A I have the s3 bucket. In account B I have an instance I want to allow write access to the s3 bucket. All other instances in the 2 accounts should only have ReadOnly access.

I have the following for my bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::846356111111:root",
                    "arn:aws:iam::233450222222:root",
                ]
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::prod-us-ansible",
                "arn:aws:s3:::prod-us-ansible/*"
            ]
        }
    ]
}

In account A I have the following policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "s3:*",
			"Resource": [
				"arn:aws:s3:::prod-us-ansible",
				"arn:aws:s3:::prod-us-ansible/*"
			]
		}
	]
}

Then in account B I have the following policy added to the role attached to the instance I want to allow write access to.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::233450222222:role/EC2-S3-AnsibleAllowWrite"
            ]
        }
    ]
}

When I test this out on the instance I get the following when doing aws s3 sync: fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

I know I am missing something but what is it am I missing.

2 Answers
0
Accepted Answer

What I ended up doing that worked was in this doc: https://repost.aws/knowledge-center/cross-account-access-s3 I followed the first section of IAM policies and resource-based bucket policies.

  1. Create an S3 bucket in Account A.
  2. Create an IAM role or user in Account B.

This worked. Now I just need to test how open it is and limit it.

answered a year ago
profile pictureAWS
EXPERT
reviewed a year ago
0

Hello.

Once you have done that, why don't you try deleting Account A, the principal of the bucket policy?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::233450222222:root"
                ]
            },
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::prod-us-ansible",
                "arn:aws:s3:::prod-us-ansible/*"
            ]
        }
    ]
}

Am I correct in assuming that the IAM role "EC2-S3-AnsibleAllowWrite" is configured to be used from account B?

In addition, the following document seems to indicate that the bucket policy can be accessed successfully without setting up a bucket policy, as long as the cross-account role is set up.
https://repost.aws/knowledge-center/s3-instance-access-bucket

profile picture
EXPERT
answered a year ago
  • If I change the bucket policy principal to "*" I get an error that the level of access the policy grants conflicts with the Block Public Access settings on the bucket.

    Yes the role IAM role "EC2-S3-AnsibleAllowWrite" is to be used by the instance in Account B.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions