Open in app

Sign in

Write

Sign in

How to grant Amazon EC2 instance upload object access to an Amazon S3 bucket in another AWS account?

Priyanka Patel
4 min readJun 23, 2022

--

Follow the steps to grant object upload access an EC2 instance in Account A to a bucket in another account (Account B).

Create an IAM role in account B.

1. Sign in to the AWS Management Console with Account B.

2. Open the AWS Identity and Access Management (IAM) console.

3. In the navigation pane, choose Roles.

4. Choose Create role.

5. For Select type of trusted entity, choose Another AWS account.

6. Enter the account ID of Account A.

7. Choose Next: Permissions option.

8. Attach a policy to the role that delegates access to Amazon S3. For example, this policy grants access for s3:GetObject on objects stored in the bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name/*",
                "arn:aws:s3:::your-bucket-name"
            ]
        }
    ]
}

9. Choose Next: Add tags.

10. You can add optional tags to the role and then choose Next: Review.

11. For Role name, enter a name for the role.

12. Choose Create role.

Get the role’s ARN, from Account B.

1. From the IAM console’s navigation pane, choose Roles.

2. Choose the IAM role that you created.

3. Note the value that’s listed for Role ARN.

Create another role (for instance profile) and attach it to the instance, from Account A.

1. Sign in to the AWS Management Console with Account A.

2. Open the IAM console.

3. From the navigation pane, choose Roles.

4. Choose Create role.

5. For Select type of trusted entity, choose AWS service.

6. For Choose the service that will use this role, choose EC2.

7. Choose Next: Permissions.

8. Choose Next: Tags.

9. You can add optional tags to the role. Or, you can leave the fields blank, and then choose Next: Review.

10. For Role name, enter a name for the role.

11. Choose Create role.

12. Choose the role that you just created, from the list of roles.

13. Choose Add inline policy, and then choose the JSON view.

14. Enter the following policy. Replace arn:aws:iam::XXXXXXXXXXXX:role/ROLENAME with the Amazon Resource Name (ARN) of the IAM role that you created in Account B.

{ 
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::XXXXXXXXXXXX:role/ROLENAME"
        }
    ]
}

15. Choose Review policy.

16. Enter a name for the policy.

17. Choose Create policy.

18. Attach the IAM role (instance profile) to the Amazon EC2 instance that you use to access the Amazon S3 bucket.

From the Amazon EC2 instance, configure the role with your credentials

1. Connect to the Amazon EC2 instance. For more information, see Connect to your Linux instance or Connecting to your Windows instance.

2. After you connect to the instance, verify if the directory already has a folder named ~/.aws.

To find the ~/.aws folder, run the following ls command to list the directory:

ls -l ~/.aws

3. If you find the ~/.aws folder, then proceed to the next step. If the directory doesn’t have a ~/.aws folder yet, then create the folder by running the mkdir command:

mkdir ~/.aws/

4. Within the ~/.aws folder, use a text editor to create a file. Name the file config.

touch config

5. In the file, enter the following text. Replace enterprofilename with the name of the role that you attached to the instance in account A. Then, replace arn:aws:iam::XXXXXXXXXXXX:role/ROLENAME with the ARN of the role that you created in Account B.

[profile enterprofilename]
role_arn = arn:aws:iam::XXXXXXXXXXXX:role/ROLENAMEcredential_source = Ec2InstanceMetadata

6. Save the file.

Verify the instance profile

To verify that your instance’s role (instance profile) can assume the role in Account B, run the command while connected to the instance. Replace profilename with the name of the role that you attached to the instance in account A.

$aws sts get-caller-identity --profile profilename

The command returns a response similar to the following:

"Account": "XXXXXXXXXXXX","UserId": "AROAEXAMPLEID:sessionName","Arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/ROLENAME/sessionName"

Confirm that the value for “Arn” matches the ARN of the role that you created in Account B.

Verify access to the Amazon S3 bucket

To verify that your instance can access the Amazon S3 bucket, run this list command while connected to the instance. Replace profilename with the name of the role that you attached to the instance in account A.

aws s3 ls s3://your-bucket-name --profile profilename

If your instance can access the bucket successfully, then you receive a response that lists the contents of the bucket, such as this:

PRE demo/
2022-06-10 13:44:25        289 index.html
2022-06-10 13:44:25     144351 nature.jpg

To upload the file to Amazon S3 bucket, run this list command while connected to the instance in account A.

aws s3 cp test.sh s3://your-bucket-name --profile profilename

If your instance upload the object to bucket successfully, then you receive a response, such as this:

upload: ./test.sh to s3://your-bucket-name/test.sh
Cross Account Access
S3 Bucket
Ec2 Instance
Iam Policy
Iam Roles

--

--

Priyanka Patel

Written by Priyanka Patel

0 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams