I saw the official documentation https://aws.amazon.com/premiumsupport/knowledge-center/s3-instance-access-bucket/ which says to create role in both account and attach! I had another solution which is create an IAM user in account B and grant it only S3 bucket permissions and config the EC2 Instance in Account B with that user. So if i do that will it work? and can the EC2 instance still access the S3 from the its account?
CodePudding user response:
It appears that your situation is:
- Amazon EC2 instance in Account A
- Amazon S3 bucket in Account A (
Bucket-A
) - Amazon S3 bucket in Account B (
Bucket-B
) - You would like the EC2 instance to be able to access both buckets
You should do the following:
- Create an IAM Role (
Role-A
) for the Amazon EC2 instance with:- Permission to access
Bucket-A
, and - Permission to access
Bucket-B
- Permission to access
- Add a Bucket policy to
Bucket-B
that permits access to the bucket fromRole-A
(This will grant "cross-account access")
That's it! The instance will be able to access Bucket-A
due to permissions in the IAM Role, and it will be able to access Bucket-B
due to permissions in both the IAM Role and the Bucket Policy.