2

I'm trying to use 'aws s3 sync' on the awscli between two accounts.

Account A, I own. Account B, Owned by a third party.

Account B has given a user:jon on account A permission to a bucket through a role:assumeDevOps assumption.

Jon assumes assumeDevOps to access bucket on Account B. But now I have to sync to a bucket back on account A.

I'm getting an access denied. Possibly because that role that Jon assumed has no permissions to the bucket back on my account.

How do I do this?

Is there documentation on this specific situation?

phisshion
  • 21
  • 1
  • 1
  • 2

2 Answers2

3

Basically, you need to create a policy to allow access to the S3 bucket on your side and a role and attach this policy to the role.

Then, a user in Account B needs to assume this role you created which allows access to your bucket.

I believe that this is the article that you are looking for (the more elaborated one): https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

And this is a more specific article: https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/

Itai Ganot
  • 10,644
  • 29
  • 93
  • 146
  • But whoever assumes the role only has access to one of the buckets and not both. At least that is how its currently working. – phisshion Jul 02 '19 at 23:52
1

The credentials used to perform an aws s3 sync command require:

  • Read permissions on the source bucket, AND
  • Write permissions on the destination bucket

Since you are assuming a role from the source account (that already has read permissions on the source bucket), you will need to grant permissions for that role to write to the destination bucket in your account.

This can be done via a Bucket policy on the destination bucket, which would look something like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::destination-bucket/*",
                "arn:aws:s3:::destination-bucket"
            ],
            "Principal": {"AWS":"arn:aws:iam::bbbbbbbbbbbb:role/assumeDevOps"}
        }
    ]
}
John Rotenstein
  • 871
  • 7
  • 16
  • 1
    Is the implication here that this should work without making _any_ changes to the source account? If so, that's not working for me. I see, "fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied" when trying to sync buckets between accounts when _only_ modifying permissions on the destination side. – pdoherty926 Apr 09 '21 at 15:56
  • @pdoherty926 I suggest that you create a new question rather than asking via a comment on an old question. Please include details of your particular setup. – John Rotenstein Apr 09 '21 at 22:15