1. Answers
  2. Create AWS IAM policy for cross-account S3 access

How do I create an AWS IAM policy for cross-account S3 access?

In this guide, we will create an AWS IAM policy that allows cross-account access to an S3 bucket. This is useful when you want to grant permissions to users or services in a different AWS account to access your S3 bucket.

We will define:

  1. An S3 bucket in the source account.
  2. An IAM policy in the destination account that grants access to the S3 bucket in the source account.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Define the S3 bucket in the source account
const sourceBucket = new aws.s3.Bucket("sourceBucket", {
    bucket: "source-bucket-name",
});

// Define the IAM policy in the destination account
const crossAccountPolicy = new aws.iam.Policy("crossAccountPolicy", {
    description: "IAM policy for cross-account S3 access",
    policy: pulumi.output(sourceBucket.arn).apply(bucketArn => JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Action: [
                    "s3:GetObject",
                    "s3:ListBucket"
                ],
                Resource: [
                    `${bucketArn}`,
                    `${bucketArn}/*`
                ],
                Principal: {
                    AWS: "arn:aws:iam::DESTINATION_ACCOUNT_ID:root"
                }
            }
        ]
    })),
});

// Export the bucket name and policy ARN
export const bucketName = sourceBucket.bucket;
export const policyArn = crossAccountPolicy.arn;

Key Points

  • S3 Bucket: This is the bucket in the source account that we want to share access to.
  • IAM Policy: This policy grants read access to the S3 bucket from a different AWS account.
  • Principal: The AWS account ID of the destination account that will have access to the S3 bucket.

Summary

We have created an S3 bucket in the source account and an IAM policy in the destination account that allows cross-account access to the bucket. This setup is useful for scenarios where resources in one AWS account need to access S3 buckets in another account.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up