Example 2: Bucket owner granting cross-account bucket permissions
Important
Granting permissions to IAM roles is a better practice than granting permissions to individual users. To learn how to do this, see Understanding cross-account permissions and using IAM roles.
Topics
An AWS account—for example, Account A—can grant another AWS account, Account B, permission to access its resources such as buckets and objects. Account B can then delegate those permissions to users in its account. In this example scenario, a bucket owner grants cross-account permission to another account to perform specific bucket operations.
Note
Account A can also directly grant a user in Account B permissions using a bucket policy. However, the user will still need permission from the parent account, Account B, to which the user belongs, even if Account B doesn't have permissions from Account A. As long as the user has permission from both the resource owner and the parent account, the user will be able to access the resource.
The following is a summary of the walkthrough steps:
-
Account A administrator user attaches a bucket policy granting cross-account permissions to Account B to perform specific bucket operations.
Note that administrator user in Account B will automatically inherit the permissions.
-
Account B administrator user attaches user policy to the user delegating the permissions it received from Account A.
-
User in Account B then verifies permissions by accessing an object in the bucket owned by Account A.
For this example, you need two accounts. The following table shows how we refer to these accounts and the administrator users in them. In accordance with the IAM guidelines (see About using an administrator user to create resources and grant permissions), we don't use the root user credentials in this walkthrough. Instead, you create an administrator user in each account and use those credentials when creating resources and granting them permissions.
AWS account ID | Account referred to as | Administrator user in the account |
---|---|---|
|
Account A |
AccountAadmin |
|
Account B |
AccountBadmin |
All the tasks of creating users and granting permissions are done in the AWS Management Console. To verify permissions, the walkthrough uses the command line tools, AWS Command Line Interface (CLI) and AWS Tools for Windows PowerShell, so you don't need to write any code.
Preparing for the walkthrough
-
Make sure you have two AWS accounts and that each account has one administrator user as shown in the table in the preceding section.
-
Sign up for an AWS account, if needed.
-
Using Account A credentials, sign in to the IAM console
to create the administrator user: -
Create user
AccountAadmin
and note the security credentials. For instructions, see Creating an IAM user in Your AWS account in the IAM User Guide. -
Grant administrator privileges to AccountAadmin by attaching a user policy giving full access. For instructions, see Working with Policies in the IAM User Guide.
-
-
While you are in the IAM console, note the IAM user Sign-In URL on the Dashboard. All users in the account must use this URL when signing in to the AWS Management Console.
For more information, see How Users Sign in to Your Account in IAM User Guide.
-
Repeat the preceding step using Account B credentials and create administrator user
AccountBadmin
.
-
-
Set up either the AWS Command Line Interface (AWS CLI) or the AWS Tools for Windows PowerShell. Make sure that you save administrator user credentials as follows:
-
If using the AWS CLI, create two profiles,
AccountAadmin
andAccountBadmin
, in the config file. -
If using the AWS Tools for Windows PowerShell, make sure that you store credentials for the session as
AccountAadmin
andAccountBadmin
.
For instructions, see Setting up the tools for the walkthroughs.
-
-
Save the administrator user credentials, also referred to as profiles. You can use the profile name instead of specifying credentials for each command you enter. For more information, see Setting up the tools for the walkthroughs.
-
Add profiles in the AWS CLI credentials file for each of the administrator users,
AccountAadmin
andAccountBadmin
, in the two accounts.[AccountAadmin] aws_access_key_id =
access-key-ID
aws_secret_access_key =secret-access-key
region = us-east-1 [AccountBadmin] aws_access_key_id =access-key-ID
aws_secret_access_key =secret-access-key
region = us-east-1 -
If you're using the AWS Tools for Windows PowerShell, run the following command.
set-awscredentials –AccessKey
AcctA-access-key-ID
–SecretKeyAcctA-secret-access-key
–storeas AccountAadmin set-awscredentials –AccessKeyAcctB-access-key-ID
–SecretKeyAcctB-secret-access-key
–storeas AccountBadmin
-
Step 1: Do the Account A tasks
Step 1.1: Sign in to the AWS Management Console
Using the IAM user sign-in URL for Account A, first sign in to the AWS Management Console as AccountAadmin user. This user will create a bucket and attach a policy to it.
Step 1.2: Create a bucket
-
In the Amazon S3 console, create a bucket. This exercise assumes the bucket is created in the US East (N. Virginia) AWS Region and is named
.amzn-s3-demo-bucket
For instructions, see Creating a bucket.
-
Upload a sample object to the bucket.
For instructions, go to Step 2: Upload an object to your bucket.
Step 1.3: Attach a bucket policy to grant cross-account permissions to Account B
The bucket policy grants the s3:GetLifecycleConfiguration
and
s3:ListBucket
permissions to Account B. It's assumed that you're
still signed in to the console using AccountAadmin user
credentials.
-
Attach the following bucket policy to
. The policy grants Account B permission for theamzn-s3-demo-bucket
s3:GetLifecycleConfiguration
ands3:ListBucket
actions.For instructions, see Adding a bucket policy by using the Amazon S3 console.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Example permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
AccountB-ID
:root" }, "Action": [ "s3:GetLifecycleConfiguration", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket
" ] } ] } -
Verify that Account B (and thus its administrator user) can perform the operations.
-
Verify using the AWS CLI
aws s3 ls s3://
amzn-s3-demo-bucket
--profile AccountBadmin aws s3api get-bucket-lifecycle-configuration --bucketamzn-s3-demo-bucket
--profile AccountBadmin -
Verify using the AWS Tools for Windows PowerShell
get-s3object -BucketName
amzn-s3-demo-bucket
-StoredCredentials AccountBadmin get-s3bucketlifecycleconfiguration -BucketNameamzn-s3-demo-bucket
-StoredCredentials AccountBadmin
-
Step 2: Do the Account B tasks
Now the Account B administrator creates a user, Dave, and delegates the permissions received from Account A.
Step 2.1: Sign in to the AWS Management Console
Using the IAM user sign-in URL for Account B, first sign in to the AWS Management Console as AccountBadmin user.
Step 2.2: Create user Dave in Account B
In the IAM ConsoleDave
.
For instructions, see Creating IAM users (console) in the IAM User Guide.
Step 2.3: Delegate permissions to user Dave
Create an inline policy for the user Dave by using the following policy. You will need to update the policy by providing your bucket name.
It's assumed that you're signed in to the console using AccountBadmin user credentials.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Example", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::
amzn-s3-demo-bucket
" ] } ] }
For instructions, see Managing IAM policies in the IAM User Guide.
Step 2.4: Test permissions
Now Dave in Account B can list the contents of
owned by Account A. You can verify the permissions using either of the following
procedures. amzn-s3-demo-bucket
Test permissions using the AWS CLI
-
Add the
UserDave
profile to the AWS CLI config file. For more information about the config file, see Setting up the tools for the walkthroughs.[profile UserDave] aws_access_key_id =
access-key
aws_secret_access_key =secret-access-key
region =us-east-1
-
At the command prompt, enter the following AWS CLI command to verify Dave can now get an object list from the
owned by Account A. Note the command specifies theamzn-s3-demo-bucket
UserDave
profile.aws s3 ls s3://
--profile UserDaveamzn-s3-demo-bucket
Dave doesn't have any other permissions. So, if he tries any other operation—for example, the following
get-bucket-lifecycle
configuration—Amazon S3 returns permission denied.aws s3api get-bucket-lifecycle-configuration --bucket
amzn-s3-demo-bucket
--profile UserDave
Test permissions using AWS Tools for Windows PowerShell
-
Store Dave's credentials as
AccountBDave
.set-awscredentials -AccessKey AccessKeyID -SecretKey SecretAccessKey -storeas AccountBDave
-
Try the List Bucket command.
get-s3object -BucketName
amzn-s3-demo-bucket
-StoredCredentials AccountBDaveDave doesn't have any other permissions. So, if he tries any other operation—for example, the following
get-s3bucketlifecycleconfiguration
—Amazon S3 returns permission denied.get-s3bucketlifecycleconfiguration -BucketName
amzn-s3-demo-bucket
-StoredCredentials AccountBDave
Step 3: (Optional) Try explicit deny
You can have permissions granted by using an access control list (ACL), a bucket
policy, or a user policy. But if there is an explicit deny set by either a bucket policy
or a user policy, the explicit deny takes precedence over any other permissions. For
testing, update the bucket policy and explicitly deny Account B the
s3:ListBucket
permission. The policy also grants
s3:ListBucket
permission. However, explicit deny takes precedence, and
Account B or users in Account B will not be able to list objects in
.amzn-s3-demo-bucket
-
Using credentials of user
AccountAadmin
in Account A, replace the bucket policy by the following.{ "Version": "2012-10-17", "Statement": [ { "Sid": "Example permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
AccountB-ID
:root" }, "Action": [ "s3:GetLifecycleConfiguration", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket
" ] }, { "Sid": "Deny permission", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::AccountB-ID
:root" }, "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket
" ] } ] } -
Now if you try to get a bucket list using
AccountBadmin
credentials, access is denied.-
Using the AWS CLI, run the following command:
aws s3 ls s3://
amzn-s3-demo-bucket
--profile AccountBadmin -
Using the AWS Tools for Windows PowerShell, run the following command:
get-s3object -BucketName
amzn-s3-demo-bucket
-StoredCredentials AccountBDave
-
Step 4: Clean up
-
After you're done testing, you can do the following to clean up:
-
Sign in to the AWS Management Console (AWS Management Console
) using Account A credentials, and do the following: -
In the Amazon S3 console, remove the bucket policy attached to
. In the bucket Properties, delete the policy in the Permissions section.amzn-s3-demo-bucket
-
If the bucket is created for this exercise, in the Amazon S3 console, delete the objects and then delete the bucket.
-
In the IAM Console
, remove the AccountAadmin
user.
-
-
-
Sign in to the IAM Console
using Account B credentials. Delete user AccountBadmin
. For step-by-step instructions, see Deleting an IAM user in the IAM User Guide.