Cross Account EC2 Role Access to Read S3 Bucket
For our use case it required amending the bucket policy to trust the account principal, rather than a specific role within it, and then controlling who was allowed that access in the usual IAM role manner.
For reference, http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_policy-examples.html#example-delegate-xaccount-S3 and sample bucket policy below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Development Read-only Access",
"Effect": "Allow",
"Principal": {
"AWS": "012345678910"
},
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::sample-bucket",
"arn:aws:s3:::sample-bucket/*"
]
}
]
}
Related videos on Youtube
stu432
Updated on September 18, 2022Comments
-
stu432 over 1 year
I've been trying to get cross account ec2 role authorisation working for a while now but seem to be hitting a bit of a dead end. We currently have cross account user authentication which is working well, however expanding that to cross account ec2 role access doesn't seem possible as far as I can tell?
I came across the following Cross Account Article, which basically undertook the same steps I had with similar results. Has a workaround for this come to fruition yet, or is it still required to use the Use-STSRole powershell/aws assume-role trick?
-
szeitlin over 5 yearsI'm having this same problem, but I think the problem is related to the KMS key permissions.