Published on

Setup AWS S3 Cross Account Access

Authors

Say Thanks! Slack Status Chat on Slack GitHub followers

In this tutorial I will demonstrate how to setup cross account access from S3.

ruanbekker-cheatsheets

Scenario

We will have 2 AWS Accounts:

  1. a Green AWS Account which will host the IAM Users, this account will only be used for our IAM Accounts.

  2. a Blue AWS Account which will be the account that hosts our AWS Resources, S3 in this scenario.

We will the allow the Green Account to access the Blue Account's S3 Bucket.

Setup the Blue Account

In the Blue Account, we will setup the S3 Bucket, as well as the Trust Relationship with the Policy, which is where we will define what we want to allow for the Green Account.

Now we need to setup the IAM Role which will allow the Green Account and also define what needs to be allowed.

Go ahead to your IAM Console and create a IAM Policy (just remember to replace the bucket name if you are following along)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PutGetListAccessOnS3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::ruanbekker-prod-s3-bucket",
                "arn:aws:s3:::ruanbekker-prod-s3-bucket/*"
            ]
        }
    ]
}

In my case I have named my IAM Policy CrossAccountS3Access. After you have created your IAM Policy, go ahead and create a IAM Role. Here we need the source account that we want to allow as a trusted entity, which will be the AWS AccountId of the Green Account:

Associate the IAM Policy that you created earlier:

After you have done that, you should see a summary screen:

Make note of your IAM Role ARN, it will look something like this: arn:aws:iam::xxxxxxxxxxxx:role/CrossAccountS3Access-Role

Setup the Green Account

In the Green Account is where we will create the IAM User and the credentials will be provided to the user which requires to access the S3 Bucket.

Let's create a IAM Group, I will name mine prod-s3-users. I will just create the group, as I will attach the policy later:

From the IAM Group, select the Permissions tab and create a New Inline Policy:

Select the "STS" service, select the "AssumeRole" action, and provide the Role ARN of the Blue Account that we created earlier:

![](https://user-images.githubusercontent.com/567298/69669597-d8692980-109a-11ea-804c-914c9a8cb608.png">

This will allow the Blue account to assume the credentials from the Green account. And the Blue account will only obtain permissions to access the resources that we have defined in the policy document of the Blue Account. In summary, it should look like this:

![](https://user-images.githubusercontent.com/567298/69669773-30079500-109b-11ea-83bd-69c8301c4f21.png">

Select the Users tab on the left hand side, create a New IAM User (I will name mine s3-prod-user) and select the "Programmatic Access" check box as we need API keys as we will be using the CLI to access S3:

![](https://user-images.githubusercontent.com/567298/69669927-82e14c80-109b-11ea-9adf-de5c01cec41c.png">

Then from the next window, add the user to the group that we have created earlier:

![](https://user-images.githubusercontent.com/567298/69669976-9987a380-109b-11ea-9c16-ea63cebe2e82.png">

Test Cross Account Access

Let's configure our AWS CLI with the API Keys that we received. Our credential provider will consist with 2 profiles, the Green Profile which holds the API Keys of the Green Account:

$ aws configure --profile green
AWS Access Key ID [None]: AKIATPRT2G4SAHA7ZQU2
AWS Secret Access Key [None]: x
Default region name [None]: eu-west-1
Default output format [None]: json

And configure the Blue profile that will reference the Green account as a source profile and also specify the IAM Role ARN of the Blue Account:

~/.aws/credentials
[blue]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/CrossAccountS3Access-Role
source_profile=green
region=eu-west-1

Now we can test if we can authenticate with our Green AWS Account:

$ aws --profile green sts get-caller-identity
{
    "UserId": "AKIATPRT2G4SAHA7ZQU2",
    "Account": "xxxxxxxxxxxx",
    "Arn": "arn:aws:iam:: xxxxxxxxxxxx:user/s3-prod-user"
}

Now let's upload an object to S3 using our blue profile:

$ aws --profile blue s3 cp foo s3://ruanbekker-prod-s3-bucket/
upload: ./foo to s3://ruanbekker-prod-s3-bucket/foo

Let's verify if we can see the object:

$ aws --profile blue s3 ls s3://ruanbekker-prod-s3-bucket/
2019-10-03 22:13:30      14582 foo

Thank You

Thanks for reading, if you like my content, feel free to check out my website, and subscribe to my newsletter or follow me at @ruanbekker on Twitter.

Buy Me A Coffee