So I want to grant a role that exists in account A the get-object permission on items in a bucket owned by account B.
I read The AWS docs' example policies and created a bucket policy like this:
{
"Version": "2012-10-17",
"Id": "foo2",
"Statement": [
{
"Sid": "Stmt199999999999",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:role/asset_download_role"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}
Which to me reads in English: "Give the role asset_download_role from account 123456789 the GetObject permission to any and all objects inside the bucket my-bucket-name"
the test object in the bucket, foo.jpg, has no additional acl or permissions set beyond the standard "Access for object owner"
Now when I assume the role, and try to get object
aws s3api get-object --profile download_asset --region eu-west-2 --bucket my-bucket-name --key foo.jpg file.jpg
(or using boto3, or signing the url with those credentials and retrieving that url)
I get "An error occurred (AccessDenied) when calling the GetObject operation: Access Denied"
Changing the profile to the bucket owner user credentials, I can download the file.
What am I doing wrong?
[note that while I have access to both Account A and Account B in this test set up, in real life Account B will belong to a third party to whom I want to provide a working policy that they can use to open up what they require]
