I want an AWS Identity and Access Management (IAM) user in another AWS account to be able to upload objects to my Amazon Simple Storage Service (Amazon S3) bucket. How can I grant this cross-account access?

Follow these steps to grant an IAM user from one account (Account A) the access to upload objects to an S3 bucket in another account (Account B):

1.    From Account A, attach a policy to the IAM user that allows the user to run the s3:PutObject and s3:ListBucket actions on the bucket in Account B, similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

2.    From Account A, get the Amazon Resource Name (ARN) of the IAM user.

3.    From Account B, attach a bucket policy that grants the IAM user in Account A the permission to run the s3:PutObject and s3:ListBucket actions, similar to the following:

Important: For the value of Principal, be sure to enter the ARN of the IAM user in Account A.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::999999999999:user/UploadData"},
            "Action": ["s3:PutObject", "s3:ListBucket"],
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

After you set up the IAM user policy in Account A and the bucket policy in Account B, the IAM user can upload objects to the bucket.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-01-22