Managing Cross-Account Model Artifact Sharing with AWS S3 Bucket Policies

Question

Pulumi · Accepted Answer

To manage S3 bucket policies for cross-account sharing of model artifacts, you'll make use of the AWS S3 service. An S3 bucket policy is a resource-based policy that allows you to grant or deny access permissions to your bucket and the objects in it. When using Pulumi to manage AWS resources, we'll use the AWS package.

We'd want to ensure that our S3 bucket policy allows the specific permissions needed for the other AWS account to access the model artifacts. This typically involves granting actions like s3:GetObject so the other account can retrieve the models.

Here's a step-by-step guide to setting up a cross-account S3 bucket policy using Pulumi with Python:

Define the S3 bucket: Create an S3 bucket where you will store model artifacts.
Write the Bucket Policy: A bucket policy is written in JSON format. It specifies the AWS accounts that you want to allow access to and the specific permissions granted.
Attach the Bucket Policy to the S3 bucket: Apply the bucket policy on the S3 bucket using Pulumi.

I'll now provide a Pulumi program in Python that creates an S3 bucket and a bucket policy allowing another AWS account to access this bucket. Please replace "<OTHER_ACCOUNT_ID>" with the actual AWS account ID to which you want to grant access.

import json
import pulumi
import pulumi_aws as aws

# Create an AWS S3 bucket to store your model artifacts
model_bucket = aws.s3.Bucket("modelArtifactBucket")

# Define the cross-account access policy document in JSON format
cross_account_policy_doc = json.dumps({
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {"AWS": f"arn:aws:iam::<OTHER_ACCOUNT_ID>:root"},
        "Action": "s3:GetObject",
        "Resource": f"{model_bucket.arn}/*"
    }]
})

# Attach the cross-account bucket policy to the S3 bucket
bucket_policy = aws.s3.BucketPolicy("bucketPolicy",
    bucket=model_bucket.id,
    policy=cross_account_policy_doc
)

# Export the URL of the S3 bucket to easily access it
pulumi.export("bucket_url", model_bucket.website_endpoint)

Here's what the code does:

model_bucket = aws.s3.Bucket(...): This line uses the aws.s3.Bucket class to create a new S3 bucket.
cross_account_policy_doc: The policy document is a JSON object that defines who (the principal) can access what resources (the bucket and its contents) and which actions they can perform (e.g., s3:GetObject).
aws.s3.BucketPolicy(...): This takes the bucket and the JSON policy as arguments to set a bucket policy.
pulumi.export(...): Exports the bucket endpoint URL, allowing you to easily reference your bucket's location.

Replace the placeholder <OTHER_ACCOUNT_ID> with the AWS account ID that you want to share your model artifacts with. Ensure that the provided account ID has the necessary permissions to access the resources specified in the policy.

In AWS IAM, the Principal is an AWS account or user who is allowed to interact with the resources. The Resource element in the bucket policy defines which specific S3 objects this policy applies to, using the ARN (Amazon Resource Name) of the bucket.

Please ensure that you have AWS credentials configured on your machine where Pulumi CLI is installed, as it uses them to authenticate against the AWS services.