Accessing cross account S3 bucket via EC2 instance with assume role

Use Case: Accessing cross account B- S3 bucket to read files from Account A - Ec2 Instance

Pre-requisties:

1. Have two aws accounts details in hand before starting this poc

2. Activities in Account A

   • Create windows Ec2 instance
   • Create a IAM Instance profile role: RoleReadCrossAccntS3Bucket and give all necessary permissions
   • Attach IAM Instance profile to the EC2 Instance
   • Configure AWS CLI in EC2 Instance which is needed to access cross account s3 bucket

3. Activities in Account B

   • Create an S3 bucket of your choice name and in this poc i have tired with name "srini-crossaccount-b"
   • Create an IAM Role RoleReadS3Bucket access to the S3 bucket created "srini-crossaccount-b" with read access policy

Steps in performing this activity in Account A & B
1.Create an S3 Bucket in AWS Account B - "srini-crossaccount-b"

2.AWS Account A - Create an IAM Instance Profile role RoleReadCrossAccntS3Bucket and then attach below policy and trust relationship

Policy Name: CrossAccountS3ReadAccess

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::srini-crossaccount-b/*", "arn:aws:s3:::srini-crossaccount-b" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::AccountB_AWS_Id:role/RoleReadS3Bucket" ] } ] } 

IAM Role - Trust Relationship

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Sid": "ReadOtherAccountS3Bucket", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AWS_Account_B:root" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:PrincipalArn": "arn:aws:iam::AWS_Account_B:role/RoleReadS3Bucket" } } } ] } 

3.AWS Account B - Create an IAM role RoleReadS3Bucket and then attach below policy and trust relationship

Policy Name: S3ReadAccess

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "sts:AssumeRole", "kms:Decrypt" ], "Resource": [ "arn:aws:s3:::arn:aws:s3:::srini-crossaccount-b/*", "arn:aws:s3:::arn:aws:s3:::srini-crossaccount-b", "arn:aws:kms:eu-west-1:AWS-Account_B:key/Kmskey_attachedtoS3Bucket" ] } ] } 

IAM Role - Trust Relationship

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } 

1. Account B: Create a sample.txt and upload to the S3 bucket - srini-crossaccount-b 5.AccountA : Install AWS CLI in EC2 Instance and run the below command to download the files

• open command prompt in admin mode
• try aws s3 ls command, it will try to list s3 bucket account in Account A
• Run STS Command

aws sts assume-role --role-arn "arn:aws:iam::AWS_Account_B_Id:role/RoleReadS3Bucket" --role-session-name AWSCLI-Session 

• Copy Access_key_id, secret_access_key and session_token values and keep keep separately
• try below command and paste access_key_id and secret_access_key values at the time of configuring the data

aws configure 

• Go to C:/User/YourName/.aws/credentials file

• Add a key value pair
  aws_session_token = *********************

• then try running the below command to download the files from cross account B
  

aws s3 cp s3://srini-crossaccount-b/sample.txt d:/sample.txt 

Conclusion: From Account A - Ec2 Instance trying to download the file from Account B - S3 Bucket

💬 If you enjoyed reading this blog post and found it informative, please take a moment to share your thoughts by leaving a review and liking it 😀 and follow me in dev.to , linkedin