I'm trying to use 'aws s3 sync' on the awscli between two accounts.
Account A, I own. Account B, Owned by a third party.
Account B has given a user:jon on account A permission to a bucket through a role:assumeDevOps assumption.
Jon assumes assumeDevOps to access bucket on Account B. But now I have to sync to a bucket back on account A.
I'm getting an access denied. Possibly because that role that Jon assumed has no permissions to the bucket back on my account.
How do I do this?
Is there documentation on this specific situation?
Best Answer
Basically, you need to create a policy to allow access to the S3 bucket on your side and a role and attach this policy to the role.
Then, a user in Account B needs to assume this role you created which allows access to your bucket.
I believe that this is the article that you are looking for (the more elaborated one): https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
And this is a more specific article: https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/