2 Answers
- Newest
- Most votes
- Most comments
0
What I ended up doing that worked was in this doc: https://repost.aws/knowledge-center/cross-account-access-s3 I followed the first section of IAM policies and resource-based bucket policies.
- Create an S3 bucket in Account A.
- Create an IAM role or user in Account B.
This worked. Now I just need to test how open it is and limit it.
answered a year ago
0
Hello.
Once you have done that, why don't you try deleting Account A, the principal of the bucket policy?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRead",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::233450222222:root"
]
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::prod-us-ansible",
"arn:aws:s3:::prod-us-ansible/*"
]
}
]
}
Am I correct in assuming that the IAM role "EC2-S3-AnsibleAllowWrite" is configured to be used from account B?
In addition, the following document seems to indicate that the bucket policy can be accessed successfully without setting up a bucket policy, as long as the cross-account role is set up.
https://repost.aws/knowledge-center/s3-instance-access-bucket
Relevant content
- Accepted Answerasked 3 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 10 days ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a day ago
If I change the bucket policy principal to "*" I get an error that the level of access the policy grants conflicts with the Block Public Access settings on the bucket.
Yes the role IAM role "EC2-S3-AnsibleAllowWrite" is to be used by the instance in Account B.