I'm trying to add another AWS account to the access control list (ACL) of my Amazon Simple Storage Service (Amazon S3) bucket. I'm getting the error "The e-mail address you provided does not match any account on record", even though I verified that the address is correct. How can I fix this?
Enter the account's canonical user ID instead of the account email address. For instructions on retrieving this ID, see Finding Your Account Canonical User ID.
If your bucket is in a newer AWS Region, enter the canonical user ID to be sure that it maps to the account. For more information about AWS Regions and their launch dates, see Global Infrastructure.
Note the following considerations for granting bucket access to another account:
- Objects uploaded to a bucket by another account aren't readable by the bucket's account by default. The account that uploaded the object must explicitly update the ACL to grant read permissions.
- Objects uploaded to a bucket by another account don't automatically inherit the permissions defined in the bucket policy. The bucket owner must take ownership of the object for the bucket policy to apply. For examples on how to grant the bucket owner ownership of an object, see Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?
- To allow another account to access your bucket, it's a best practice to use a bucket policy as a more centralized and comprehensive way to manage permissions.
- To allow another account to upload objects to your bucket, it's a best practice to create an AWS Identity and Access Management (IAM) role from your account that the other account can assume. When the other account uses the IAM role to upload objects, your account then owns the objects, because the role belongs to your account. For an example cross-account configuration using an IAM role, see Bucket Owner Granting Cross-account Permission to Objects It Does Not Own.