I have two aws accounts A and B.
In the account A, I have an EC2 running inside a vpc in a private subnet that has a NAT on. This EC2 has the following role:
AWS Account A - EC2 Role Trusted entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
AWS Account A - EC2 Role Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-B-NUMBER:role/aws-access-s3"
}
]
}
In the account B, I created an aws account role passing the aws account A number.
AWS Account B - Role aws-access-s3 Trusted entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A-NUMBER:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
AWS Account B - Role aws-access-s3 Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
}
]
}
These are my setup and when I try to run the command to list the account B buccket inside the ec2 in Account A I'm getting the error:
aws s3 ls bucket-name-account-b
Returns:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
I don't know what I'm missing, I hope someone can help me.
CodePudding user response:
You need to make a profile to make this process automatic.
You can add the following to your .aws/config file
[profile mys3profile]
region = $region
output = json
and the following to your .aws/credentials file.
[mys3profile]
role_arn = arn:aws:iam::accountb:role/yourrole
credential_source = Ec2InstanceMetadata