Look for a policy for S3 bucket that will allow all IAM roles and users from different account, to be able to download files from the bucket that is located in my AWS account.
Thanks for help
Asked
Active
Viewed 1.3k times
1
-
Just a note as it's note quite what you've asked, but allowing a specific role from another account to access a bucket is more difficult. You have to get the role's aws:userid using "aws iam get-role" then use that userid in the bucket policy. It's documented here but it takes some time to get your head around it https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/ – Tim Feb 04 '21 at 18:00
1 Answers
0
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1"
]
}
]
}
Directly from the docs.
Nick
- 361
- 1
- 4
-
2
-
And remember that "s3:GetObject" needs to target the path resource e.g. "arn:aws:s3:::awsexamplebucket1/*", not just "arn:aws:s3:::awsexamplebucket1". This often catches me out when I get an Access Denied – Mark Adamson Mar 15 '23 at 22:38