Accessing cross account S3 bucket via EC2 instance with assume role

Use Case: Accessing cross account B- S3 bucket to read files from Account A - Ec2 Instance

---

Pre-requisties:

1. Have two aws accounts details in hand before starting this poc

2. Activities in Account A

   • Create windows Ec2 instance
   • Create a IAM Instance profile role: RoleReadCrossAccntS3Bucket and give all necessary permissions
   • Attach IAM Instance profile to the EC2 Instance
   • Configure AWS CLI in EC2 Instance which is needed to access cross account s3 bucket

3. Activities in Account B

   • Create an S3 bucket of your choice name and in this poc i have tired with name "srini-crossaccount-b"
   • Create an IAM Role RoleReadS3Bucket access to the S3 bucket created "srini-crossaccount-b" with read access policy

---

Steps in performing this activity in Account A & B
1.Create an S3 Bucket in AWS Account B - "srini-crossaccount-b"

2.AWS Account A - Create an IAM Instance Profile role RoleReadCrossAccntS3Bucket and then attach below policy and trust relationship

Policy Name: CrossAccountS3ReadAccess

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::srini-crossaccount-b/*",
                "arn:aws:s3:::srini-crossaccount-b"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
             "arn:aws:iam::AccountB_AWS_Id:role/RoleReadS3Bucket"
            ]
        }
    ]
}

IAM Role - Trust Relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Sid": "ReadOtherAccountS3Bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AWS_Account_B:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnLike": {
                    "aws:PrincipalArn": "arn:aws:iam::AWS_Account_B:role/RoleReadS3Bucket"
                }
            }
        }
    ]
}

3.AWS Account B - Create an IAM role RoleReadS3Bucket and then attach below policy and trust relationship

Policy Name: S3ReadAccess

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "sts:AssumeRole",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:s3:::arn:aws:s3:::srini-crossaccount-b/*",
                "arn:aws:s3:::arn:aws:s3:::srini-crossaccount-b",
                "arn:aws:kms:eu-west-1:AWS-Account_B:key/Kmskey_attachedtoS3Bucket"
            ]
        }
    ]
}

IAM Role - Trust Relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

1. Account B: Create a sample.txt and upload to the S3 bucket - srini-crossaccount-b 5.AccountA : Install AWS CLI in EC2 Instance and run the below command to download the files

• open command prompt in admin mode
• try aws s3 ls command, it will try to list s3 bucket account in Account A
• Run STS Command

aws sts assume-role --role-arn "arn:aws:iam::AWS_Account_B_Id:role/RoleReadS3Bucket" --role-session-name AWSCLI-Session

• Copy Access_key_id, secret_access_key and session_token values and keep keep separately
• try below command and paste access_key_id and secret_access_key values at the time of configuring the data

aws configure

• Go to C:/User/YourName/.aws/credentials file

• Add a key value pair
  aws_session_token = *********************

• then try running the below command to download the files from cross account B
  

aws s3 cp s3://srini-crossaccount-b/sample.txt d:/sample.txt

Conclusion: From Account A - Ec2 Instance trying to download the file from Account B - S3 Bucket

💬 If you enjoyed reading this blog post and found it informative, please take a moment to share your thoughts by leaving a review and liking it 😀 and follow me in dev.to , linkedin

Comments

[Richard Mirks]

Very detailed post! I think I got more trust relationships here than I have with my coworkers. AWS permissions always feel like trying to solve a Rubik's Cube while blindfolded—did you run into any weird errors along the way, or did the policies magically work on the first try?

[Srinivasulu Paranduru]

@richmirks , removed policies which are not required and tested all working.

[Srinivasulu Paranduru]

@richmirks , after couple of trials and few fixes and this is the final working solution and for the Role - CrossAccountS3ReadAccess in the trust policy first part is good enough and second is not required as we are not assuming this from destination account. But i will give a try removing trust policy in source IAM role and will update you back tommorow.