Access AWS S3 bucket from another account using bucket policy

Adding multiple git accounts on same computer
August 2, 2018
AWS KMS Python : Upload & download file in S3
September 21, 2018

Access AWS S3 bucket from another account using bucket policy

Apart from using the IAM roles, you can also do this through a bucket policy on the source account(Account A) S3 bucket, granting access to another account(Account B), but not specifying a particular user in the (Account B) accessing account. An advantage of this approach is that your (Account B) accessing account roles would be able to read/write directly to the bucket without having to get temporary credentials from sts:AssumeRole first.

There are two steps:

In the Account A, set the S3 bucket policies to allow the Account B access.

  1. In the(Account A), set s3 bucket policy.
{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "CrossAccountAccess",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::<Account B ID>:root"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::account-a-s3",
            "arn:aws:s3:::account-a-s3/*"
        ]
    }
  ]
}

2. In account B, get the AWS CLI and use any user(from account B) which is having s3 read/write access assigned.

$: aws s3 ls s3://account-a-s3

You should able to list the bucket now. You can change the actions whatever you want to set in s3 bucket policy.
Note: Remember with above policy any resource from the Account B can access the S3 bucket who has the global s3 action policies attached. If you need fine grained access in it then you can go for IAM cross account role approach.

Bitnami