My problem is that I want to upload some data to the AWS S3 Bucket via API - NodeJS @aws-sdk packge, but I don't have credentials to the account where the Bucket is.
Credentials needed to connect in aws-sdk:
1. Region:
2. Domain (endpoint):
3. Bucket:
4. Access key ID:
5. Secret access key:
Instead I was asked to create account in AWS and setup ARN user for which an access will be granted from another AWS account where the S3 Bucket is.
I'm not familiar very well with the AWS, but this is how I see it:
This is called cross-account set up trust. For this, let's assume the account having the S3 bucket is called A
and the account you are creating is called B
.
Now what you need is something like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name-from-account-one",
"arn:aws:s3:::bucket-name-from-account-one/*",
],
"Effect": "Allow"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountBID:role/your-role" // the ARN of role from account B
},
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name-from-account-one",
"arn:aws:s3:::bucket-name-from-account-one/*"
]
}
]
}
Now you are almost done. All you need is to attach the role which you created in account B, to the services running in account B which needs to access the S3 bucket from account A. Ref: https://repost.aws/knowledge-center/cross-account-access-s3