Use Case: Accessing cross account B- S3 bucket to read files from Account A - Ec2 Instance
Pre-requisties:
- Have two aws accounts details in hand before starting this poc
-
Activities in Account A
- Create windows Ec2 instance
- Create a IAM Instance profile role: RoleReadCrossAccntS3Bucket and give all necessary permissions
- Attach IAM Instance profile to the EC2 Instance
- Configure AWS CLI in EC2 Instance which is needed to access cross account s3 bucket
-
Activities in Account B
- Create an S3 bucket of your choice name and in this poc i have tired with name "srini-crossaccount-b"
- Create an IAM Role RoleReadS3Bucket access to the S3 bucket created "srini-crossaccount-b" with read access policy
Steps in performing this activity in Account A & B
1.Create an S3 Bucket in AWS Account B - "srini-crossaccount-b"
2.AWS Account A - Create an IAM Instance Profile role RoleReadCrossAccntS3Bucket and then attach below policy and trust relationship
Policy Name: CrossAccountS3ReadAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::srini-crossaccount-b/*",
"arn:aws:s3:::srini-crossaccount-b"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::AccountB_AWS_Id:role/RoleReadS3Bucket"
]
}
]
}
IAM Role - Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "ReadOtherAccountS3Bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_Account_B:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::AWS_Account_B:role/RoleReadS3Bucket"
}
}
}
]
}
3.AWS Account B - Create an IAM role RoleReadS3Bucket and then attach below policy and trust relationship
Policy Name: S3ReadAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"sts:AssumeRole",
"kms:Decrypt"
],
"Resource": [
"arn:aws:s3:::arn:aws:s3:::srini-crossaccount-b/*",
"arn:aws:s3:::arn:aws:s3:::srini-crossaccount-b",
"arn:aws:kms:eu-west-1:AWS-Account_B:key/Kmskey_attachedtoS3Bucket"
]
}
]
}
IAM Role - Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Account B: Create a sample.txt and upload to the S3 bucket - srini-crossaccount-b 5.AccountA : Install AWS CLI in EC2 Instance and run the below command to download the files
- open command prompt in admin mode
- try aws s3 ls command, it will try to list s3 bucket account in Account A
- Run STS Command
aws sts assume-role --role-arn "arn:aws:iam::AWS_Account_B_Id:role/RoleReadS3Bucket" --role-session-name AWSCLI-Session
- Copy Access_key_id, secret_access_key and session_token values and keep keep separately
- try below command and paste access_key_id and secret_access_key values at the time of configuring the data
aws configure
- Go to C:/User/YourName/.aws/credentials file
Add a key value pair
aws_session_token = *********************then try running the below command to download the files from cross account B
aws s3 cp s3://srini-crossaccount-b/sample.txt d:/sample.txt
Conclusion: From Account A - Ec2 Instance trying to download the file from Account B - S3 Bucket
💬 If you enjoyed reading this blog post and found it informative, please take a moment to share your thoughts by leaving a review and liking it 😀 and follow me in dev.to , linkedin
Top comments (3)
Very detailed post! I think I got more trust relationships here than I have with my coworkers. AWS permissions always feel like trying to solve a Rubik's Cube while blindfolded—did you run into any weird errors along the way, or did the policies magically work on the first try?
@richmirks , removed policies which are not required and tested all working.
@richmirks , after couple of trials and few fixes and this is the final working solution and for the Role - CrossAccountS3ReadAccess in the trust policy first part is good enough and second is not required as we are not assuming this from destination account. But i will give a try removing trust policy in source IAM role and will update you back tommorow.