Ruan Bekker's Blog

From a Curious mind to Posts on Github

Setup AWS S3 Cross Account Access

Say Thanks! Slack Status Chat on Slack GitHub followers

In this tutorial I will demonstrate how to setup cross account access from S3.

ruanbekker-cheatsheets

Scenario

We will have 2 AWS Accounts:

  1. a Green AWS Account which will host the IAM Users, this account will only be used for our IAM Accounts.

  2. a Blue AWS Account which will be the account that hosts our AWS Resources, S3 in this scenario.

We will the allow the Green Account to access the Blue Account’s S3 Bucket.

Setup the Blue Account

In the Blue Account, we will setup the S3 Bucket, as well as the Trust Relationship with the Policy, which is where we will define what we want to allow for the Green Account.

9488F107-A5B0-4A9E-A7A4-5A91B9805DE3

Now we need to setup the IAM Role which will allow the Green Account and also define what needs to be allowed.

Go ahead to your IAM Console and create a IAM Policy (just remember to replace the bucket name if you are following along)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PutGetListAccessOnS3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::ruanbekker-prod-s3-bucket",
                "arn:aws:s3:::ruanbekker-prod-s3-bucket/*"
            ]
        }
    ]
}

In my case I have named my IAM Policy CrossAccountS3Access. After you have created your IAM Policy, go ahead and create a IAM Role. Here we need the source account that we want to allow as a trusted entity, which will be the AWS AccountId of the Green Account:

E73FC957-EBFA-4E41-AFDB-D994D6D3110E

Associate the IAM Policy that you created earlier:

610814A8-E8CB-45F7-A038-FE4274FD425C

After you have done that, you should see a summary screen:

ABAADD0E-9140-4EB1-855A-0B0E46F429FF

Make note of your IAM Role ARN, it will look something like this: arn:aws:iam::xxxxxxxxxxxx:role/CrossAccountS3Access-Role

Setup the Green Account

In the Green Account is where we will create the IAM User and the credentials will be provided to the user which requires to access the S3 Bucket.

Let’s create a IAM Group, I will name mine prod-s3-users. I will just create the group, as I will attach the policy later:

459D98BF-7A5D-49B4-BBD9-11717655188D

From the IAM Group, select the Permissions tab and create a New Inline Policy:

E55E521D-A3C1-4669-B0AB-C23A5BA51E21

Select the “STS” service, select the “AssumeRole” action, and provide the Role ARN of the Blue Account that we created earlier:

FDECEF7C-14F1-41DC-94F5-B6E63FE46A7D

This will allow the Blue account to assume the credentials from the Green account. And the Blue account will only obtain permissions to access the resources that we have defined in the policy document of the Blue Account. In summary, it should look like this:

0133A1AF-D2B0-4A61-B179-B4B40B81953C

Select the Users tab on the left hand side, create a New IAM User (I will name mine s3-prod-user) and select the “Programmatic Access” check box as we need API keys as we will be using the CLI to access S3:

ACE1F066-4400-4000-A9D8-0FD438DB7028

Then from the next window, add the user to the group that we have created earlier:

0AEC8E84-091F-44CB-966D-BDA93970C881

Test Cross Account Access

Let’s configure our AWS CLI with the API Keys that we received. Our credential provider will consist with 2 profiles, the Green Profile which holds the API Keys of the Green Account:

1
2
3
4
5

$ aws configure --profile green
AWS Access Key ID [None]: AKIATPRT2G4SAHA7ZQU2
AWS Secret Access Key [None]: x
Default region name [None]: eu-west-1
Default output format [None]: json

And configure the Blue profile that will reference the Green account as a source profile and also specify the IAM Role ARN of the Blue Account:

1

$ vim ~/.aws/credentials
1
2
3
4

[blue]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/CrossAccountS3Access-Role
source_profile=green
region=eu-west-1

Now we can test if we can authenticate with our Green AWS Account:

1
2
3
4
5
6

$ aws --profile green sts get-caller-identity
{
    "UserId": "AKIATPRT2G4SAHA7ZQU2",
    "Account": "xxxxxxxxxxxx",
    "Arn": "arn:aws:iam:: xxxxxxxxxxxx:user/s3-prod-user"
}

Now let’s upload an object to S3 using our blue profile:

1
2

$ aws --profile blue s3 cp foo s3://ruanbekker-prod-s3-bucket/
upload: ./foo to s3://ruanbekker-prod-s3-bucket/foo

Let’s verify if we can see the object:

1
2

$ aws --profile blue s3 ls s3://ruanbekker-prod-s3-bucket/
2019-10-03 22:13:30      14582 foo

Thank You

Let me know what you think. If you liked my content, feel free to checkout my content on ruan.dev or follow me on twitter at @ruanbekker