Apart from using the IAM roles, you can also do this through a bucket policy on the source account(Account A) S3 bucket, granting access to another account(Account B), but not specifying a particular user in the (Account B) accessing account. An advantage of this approach is that your (Account B) accessing account roles would be able to read/write directly to the bucket without having to get temporary credentials from sts:AssumeRole first.
There are two steps:
In the Account A, set the S3 bucket policies to allow the Account B access.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossAccountAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account B ID>:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::account-a-s3",
"arn:aws:s3:::account-a-s3/*"
]
}
]
}
2. In account B, get the AWS CLI and use any user(from account B) which is having s3 read/write access assigned.
$: aws s3 ls s3://account-a-s3
You should able to list the bucket now. You can change the actions whatever you want to set in s3 bucket policy.
Note: Remember with above policy any resource from the Account B can access the S3 bucket who has the global s3 action policies attached. If you need fine grained access in it then you can go for IAM cross account role approach.