How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?

Last updated: 2020-11-02

I want an AWS Identity and Access Management (IAM) user in another AWS account to be able to upload objects to my Amazon Simple Storage Service (Amazon S3) bucket. How can I grant this cross-account access?

Resolution

Follow these steps to grant an IAM user from one account (Account A) the access to upload objects to an S3 bucket in another account (Account B):

1.    From Account A, attach a policy to the IAM user that allows the user to run the s3:PutObject and s3:PutObjectAcl actions on the bucket in Account B, similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"      
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

Note: The s3:PutObjectAcl permission is required for users that must specify an object access control list (ACL) during upload. Without this permission, users get an Access Denied error when they upload an object with an ACL, such as the bucket-owner-full control ACL or public-read ACL. 

2.    From Account A, get the Amazon Resource Name (ARN) of the IAM user.

3.    From Account B, attach a bucket policy that grants the IAM user in Account A the permission to run the s3:PutObject and s3:PutObjectAcl actions, similar to the following:

Important: For the value of Principal, be sure to enter the ARN of the IAM user in Account A.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::999999999999:user/UploadData"},
            "Action": ["s3:PutObject", "s3:PutObjectAcl"],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

After you set up the IAM user policy in Account A and the bucket policy in Account B, the IAM user can upload objects to the bucket.


Did this article help?


Do you need billing or technical support?