How to share S3 Buckets across AWS accounts with IAM Roles

If you need to share S3 buckets across AWS accounts to provide access to your objects stored in these S3 buckets you can do that multiple ways. In this tutorial we will use the method with IAM roles because this offers us the flexibility to do this kind of resource sharing with other types of AWS resources as well.

Our account setup and needed resources looks like this:

You define a role in bucket A (where the S3 bucket is) and then from account B you can assume that role which will give you permissions to access the bucket (depending on permissions defined in the role).

Let’s see it step by step

  1. Create a role in account A and then set the trusted entity to another AWS account (provide the ID of that account) :

2. Then create a policy for that role and attach it to the role, the policy should look like this (obviously replace the bucket name with your bucket’s name:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::AccountABucket"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::AccountABucket/*"
        }
    ]
}

3. Log into account B and then use the Switch Roles option in your user’s dropdown menu (top menu in the right just before the Global dropdown).

For a demo of the whole process please watch the video.

Recent Articles

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here