How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?

Last updated: 2021-02-10

I want to grant an AWS Identity and Access Management (IAM) user in another account access to my Amazon Simple Storage Service (Amazon S3) bucket. The user is trying to upload objects to my Amazon S3 bucket. How can I grant this cross-account access?

Resolution

Follow these steps to grant an IAM user from Account A the access to upload objects to an S3 bucket in Account B:

1.    From Account A, attach a policy to the IAM user. The policy must allow the user to run the s3:PutObject and s3:PutObjectAcl actions on the bucket in Account B.

For example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"      
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

Note: The s3:PutObjectAcl permission is required for users that must specify an object access control list (ACL) during upload. Without this permission, users get an Access Denied error when they upload an object with an ACL (such as the bucket-owner-full control ACL).

2.    From Account A, get the Amazon Resource Name (ARN) of the IAM user.

3.    From Account B, attach a bucket policy that grants the IAM user in Account A permission to run s3:PutObject and s3:PutObjectAcl actions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::999999999999:user/UploadData"},
            "Action": ["s3:PutObject", "s3:PutObjectAcl"],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

Important: For the value of Principal, be sure to enter the ARN of the IAM user in Account A.

After you set up the IAM user policy in Account A and bucket policy in Account B, the IAM user can upload objects to Amazon S3.


Did this article help?


Do you need billing or technical support?