AWS S3 bucket - Allow download files to every IAM and Users from specific AWS Account

Question

Look for a policy for S3 bucket that will allow all IAM roles and users from different account, to be able to download files from the bucket that is located in my AWS account.

Thanks for help

Just a note as it's note quite what you've asked, but allowing a specific role from another account to access a bucket is more difficult. You have to get the role's aws:userid using "aws iam get-role" then use that userid in the bucket policy. It's documented here but it takes some time to get your head around it https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/ — Tim, Feb 04 '21 at 18:00

score 0 · Answer 1 · answered Feb 04 '21 at 15:45

0

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Example permissions",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::AccountB-ID:root"
         },
         "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::awsexamplebucket1"
         ]
      }
   ]
}

Directly from the docs.

answered Feb 04 '21 at 15:45

Nick

341
1
4

2

You may need to add "s3:GetObject" permissions as well. – Peycho Dimitrov Feb 05 '21 at 07:35

AWS S3 bucket - Allow download files to every IAM and Users from specific AWS Account

1 Answers1