All geek questions in one place

Amazon S3 Access for Other AWS Accounts

I am trying to grant access permission for S3 list in the account of another account.

For the created bucket, the permissions tab has an access option for other AWS accounts. Under this, I see the Add Account button. I clicked it and gave another account from which I want to access this bucket.

However, I get an Invalid ID error.

+11
source share
4 answers

If you want to grant access to a specific User in another account, this is quite simple. (I do not think this method will work to provide access to another account .)

Say you have:

  • A account with Bucket A that you own
  • Account B with User B to whom you want to grant access

Request user B for ARN associated with their IAM user. This can be seen in the IAM management console, and it will look like this:

 arn:aws:iam::123456789012:user/fred

Then add the Bucket Policy command to bucket A:

 { "Version": "2012-10-17", "Id": "S3AccessPolicy", "Statement": [ { "Sid": "GiveFredAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/fred" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-a", "arn:aws:s3:::bucket-a/*" ] } ] }

This will allow Fred to access the S3 bucket. This works for users in one account and for users of another account.

+3
source

You need a "canonical user id". You can find out about it here .

To view your canonical user id as root (console)

Log in as the root user using your AWS account email address and password.

... snip ...

In the upper right corner of the console, select your account name or number. Then select My Security Credentials.

If necessary, select Continue Security Credentials in the dialog box. You can select the box next to Dont show me this message again to stop the dialog box from appearing in the future.

Expand the Account Identifiers section to view your canonical user ID.

Note If you do not see the "Account Identifiers" section, you are not logged in as root. Return to step 1 above. If you do not have access to the root user credentials, contact your AWS account administrator and ask them for a canonical user ID.

+3
source

To get the canonical identifier, one of the easiest ways is to use the CLI and run aws s3api list-buckets . You will receive an identifier at the weekend.

There are other ways to get the canonical identifier, which are described in detail in the aws documentation: https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html.

list-buckets aws docs: https://docs.aws.amazon.com/cli/latest/reference/s3api/list-buckets.html

+2
source

I can do this using a canonical identifier manually. But how can we shape this in the cloud? Struggled with this.

0
source

Source: https://habr.com/ru/post/1270243/

More articles:


All Articles