Home > Net >  AWS EC2 Access Denied S3 Cross Account
AWS EC2 Access Denied S3 Cross Account

Time:09-22

I have two aws accounts A and B.

In the account A, I have an EC2 running inside a vpc in a private subnet that has a NAT on. This EC2 has the following role:

AWS Account A - EC2 Role Trusted entities:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "Service": "ec2.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }
]

}

AWS Account A - EC2 Role Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT-B-NUMBER:role/aws-access-s3"
        }
    ]
}

In the account B, I created an aws account role passing the aws account A number.

AWS Account B - Role aws-access-s3 Trusted entities:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNT-A-NUMBER:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

AWS Account B - Role aws-access-s3 Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}

These are my setup and when I try to run the command to list the account B buccket inside the ec2 in Account A I'm getting the error:

aws s3 ls bucket-name-account-b

Returns:

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

I don't know what I'm missing, I hope someone can help me.

CodePudding user response:

You need to make a profile to make this process automatic. You can add the following to your .aws/config file

[profile mys3profile]
region = $region
output = json

and the following to your .aws/credentials file.

[mys3profile]   
role_arn = arn:aws:iam::accountb:role/yourrole
credential_source = Ec2InstanceMetadata
  • Related