How to ‘aws s3 sync’ two buckets, which are located in different accounts

amazon s3amazon-iamamazon-web-servicesaws-cli

I'm trying to use 'aws s3 sync' on the awscli between two accounts.

Account A, I own. Account B, Owned by a third party.

Account B has given a user:jon on account A permission to a bucket through a role:assumeDevOps assumption.

Jon assumes assumeDevOps to access bucket on Account B. But now I have to sync to a bucket back on account A.

I'm getting an access denied. Possibly because that role that Jon assumed has no permissions to the bucket back on my account.

How do I do this?

Is there documentation on this specific situation?

Best Answer

Basically, you need to create a policy to allow access to the S3 bucket on your side and a role and attach this policy to the role.

Then, a user in Account B needs to assume this role you created which allows access to your bucket.

I believe that this is the article that you are looking for (the more elaborated one): https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

And this is a more specific article: https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/

Related Solutions

How to chain AWS IAM AssumeRole API calls

Scenario:

AccountA - your account
AccountB - customer account
RoleA - Your account role to access DynamoDB, call STS, etc.
RoleB - TrustedSecurityAuditor role in AccountB

You will need to manage two sets of credentials. Credentials A which are created from the IAM role assigned to the EC2 instance. Use these credentials to access your resources such as DynamoDB. Credentials B which are created via STS from RoleB. Use these credentials to access your customers resources.

You will then need to independently use the credentials based upon what you want to do. For example if you are using Python you would create two boto3 clients with different credentials.

Access Denied when syncing between s3 buckets on different AWS accounts

The cause of your ListObjects error is that you assigned permission to access the contents of your bucket (arn:aws:s3:::bucket/*) but you did not give permissions to the bucket itself (arn:aws:s3:::bucket). The ListObjects command requires access to the bucket.

To test this, I did the following:

Used two AWS accounts: Account A, Account B
Created bucket-a in Account A
Created bucket-b in Account B
Created an IAM User user-a in Account A with permissions to access bucket-a

Added a Bucket Policy to bucket-b:

{
  "Id": "CopyBuckets",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket-b",
        "arn:aws:s3:::bucket-b/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account-a-id>:user/user-a"
        ]
      }
    }
  ]
}

I then triggered the sync by using user-a in Account A:

aws s3 sync s3://bucket-a s3://bucket-b --profile user-a

It worked successfully.

Best Answer

Related Solutions

How to chain AWS IAM AssumeRole API calls

Access Denied when syncing between s3 buckets on different AWS accounts

Related Topic