In this tutorial I will demonstrate how to setup cross account access from S3.
We will have 2 AWS Accounts:
a Green AWS Account which will host the IAM Users, this account will only be used for our IAM Accounts.
a Blue AWS Account which will be the account that hosts our AWS Resources, S3 in this scenario.
We will the allow the Green Account to access the Blue Account’s S3 Bucket.
Setup the Blue Account
In the Blue Account, we will setup the S3 Bucket, as well as the Trust Relationship with the Policy, which is where we will define what we want to allow for the Green Account.
Now we need to setup the IAM Role which will allow the Green Account and also define what needs to be allowed.
Go ahead to your IAM Console and create a IAM Policy (just remember to replace the bucket name if you are following along)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
In my case I have named my IAM Policy
CrossAccountS3Access. After you have created your IAM Policy, go ahead and create a IAM Role. Here we need the source account that we want to allow as a trusted entity, which will be the AWS AccountId of the Green Account:
Associate the IAM Policy that you created earlier:
After you have done that, you should see a summary screen:
Make note of your IAM Role ARN, it will look something like this:
Setup the Green Account
In the Green Account is where we will create the IAM User and the credentials will be provided to the user which requires to access the S3 Bucket.
Let’s create a IAM Group, I will name mine
prod-s3-users. I will just create the group, as I will attach the policy later:
From the IAM Group, select the Permissions tab and create a New Inline Policy:
Select the “STS” service, select the “AssumeRole” action, and provide the Role ARN of the Blue Account that we created earlier:
This will allow the Blue account to assume the credentials from the Green account. And the Blue account will only obtain permissions to access the resources that we have defined in the policy document of the Blue Account. In summary, it should look like this:
Select the Users tab on the left hand side, create a New IAM User (I will name mine s3-prod-user) and select the “Programmatic Access” check box as we need API keys as we will be using the CLI to access S3:
Then from the next window, add the user to the group that we have created earlier:
Test Cross Account Access
Let’s configure our AWS CLI with the API Keys that we received. Our credential provider will consist with 2 profiles, the Green Profile which holds the API Keys of the Green Account:
1 2 3 4 5
And configure the Blue profile that will reference the Green account as a source profile and also specify the IAM Role ARN of the Blue Account:
1 2 3 4
Now we can test if we can authenticate with our Green AWS Account:
1 2 3 4 5 6
Now let’s upload an object to S3 using our blue profile:
Let’s verify if we can see the object:
I’ve recently started a Developer Range t-shirts, let me know what you think: