Pete Cheslock

DevOps, RelEng, DevTools, Automation, Randomness

How to Enable Cross-Account AWS Access With IAM Users

We manage our AWS assets across many different accounts. This helps us keep data and access controls separate depending on the type of data we are controlling.

One of our AWS accounts is a non-production account where we spin up and down test systems to support new feature testing and other activities to support development. Our build cluster (which lives in a separate AWS account) needs access some S3 buckets that live in our non-production account. The problem is that this account also contains some of our more sensitive stacks, like QA and UA systems, which are locked down from a moderate to a production level of access. So, in this case, I needed to create an IAM user on our build cluster account that could access specific buckets in our Non-Prod account. This is to ensure we’re not giving out keys that could be used to potential cause data destruction.

Here is how you can do it if you are looking for the same level of Amazon cross-account access for S3 buckets (with granular per-bucket IAM level permissions).

This guide assumes that you already have an IAM user on the account you want to enable access from (Our build cluster account). And you’ll need to know the S3 bucket in question (This will be a bucket called my-shared-bucket-20932 in our non-production account). I’m also going to assume you have a basic understanding of IAM (How to create users, groups, etc…)

First step is to get your AWS account ID number - this is a 12 digit number. You can find it in your account activity report.

AWS Account ID

Next - go to the IAM user you are going to be granting access for to grab the User ARN. You will need this when you create the bucket policy on the bucket in the other account you’re granting them access to.

ARN

After you have both the AWS account ID number 1234567890 and your User ARN arn:aws:iam::1234567890:user/test.user, access your S3 bucket properties for the bucket you are going to allow access to. My example is going to use the bucket my-shared-bucket-20932.

Bucket Policy

Now you are going to need to paste in a bucket policy in JSON format - here is an example one below to enable “Get” access to anything in the bucket my-shared-bucket-20932. If you wanted to allow full access, you could change the s3:Get* to s3:* or even s3:Put* if you only wanted to allow uploading files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
  "Version": "2012-02-02",
  "Statement": [
      {
          "Sid": "NonProdAccountAccess",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::1234567890:user/test.user"
          },
          "Action": "s3:Get*",
          "Resource": "arn:aws:s3:::my-shared-bucket-20932/*"
      }
  ]
}

Now that you have your S3 bucket policy in place - it’s time to create a new group that your user(s) will be a member of to allow them the ability to access the bucket in your other account.

Access your IAM tab in your AWS console - Create a group - and when your group is created - create a policy with the following information

1
2
3
4
5
6
7
{
   "Statement":{
      "Effect":"Allow",
      "Action":"s3:Get*",
      "Resource":"arn:aws:s3:::my-shared-bucket-20932/*"
   }
}

It’s going to look something like this: IAM Policy

Finally - make your IAM user a member of the group you just created - any they will now have access to your S3 bucket in a separate AWS account.