0

I currently need to create an iam policy with a service as a principal,

Now, i know that you can have:

"Service": [
    "ec2.amazonaws.com"

On your policy, but that states the ec2 service on your own account, how can i do the same for a different account? given that i cannot create a role for the service im trying to use since it is for a machine learning installation from the web console?

Juan Sebastian
  • 968
  • 1
  • 7
  • 20

1 Answers1

1

You'll want to create Bucket policies and apply it to the source bucket so that accounts can access a bucket of another account.

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddCannedAcl",
      "Effect":"Allow",
      "Principal": {"AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]},
      "Action":["s3:PutObject","s3:PutObjectAcl"],
      "Resource":["arn:aws:s3:::examplebucket/*"] 
    }
  ]
}

http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-1

strongjz
  • 4,271
  • 1
  • 17
  • 27
  • 1
    Correct. Just to clarify for @Juan -- Only the account that owns the resource can grant access. So, Machine Learning in Account A cannot declare that it has access to S3 in Account B. Rather, Account B has to grant access to the resource/service in Account A. The above answer shows this being done by placing a Bucket Policy on the an S3 bucket in Account B, which is permitting access to something (eg a Role) in Account A. – John Rotenstein Aug 05 '17 at 00:28
  • I understand that, let's just say i'm the owner of both accounts, my particular question goes aimed on how can i declare a service in a different account than the one that owns the bucket as principal. – Juan Sebastian Aug 08 '17 at 18:48