node.jsamazon-s3aws-sdkaws-sdk-jsaws-sdk-nodejs

ARN User for AWS S3 Bucket how to manage Bucket via API NodeJS


My problem is that I want to upload some data to the AWS S3 Bucket via API - NodeJS @aws-sdk packge, but I don't have credentials to the account where the Bucket is.
Credentials needed to connect in aws-sdk:

1. Region:
2. Domain (endpoint):
3. Bucket:
4. Access key ID: 
5. Secret access key: 

Instead I was asked to create account in AWS and setup ARN user for which an access will be granted from another AWS account where the S3 Bucket is.

I'm not familiar very well with the AWS, but this is how I see it:

  1. ARN user from new account on AWS is setup.
  2. Access to the S3 Bucket on second account is granted for this ARN user
  3. I suppose via AWS GUI I would be able to enter to the bucket, however I want an access to the S3 Bucket via NodeJS package, so probably next step is mandatory
  4. I create Access key ID and Secret access key for the account for which ARN user was created and the final question is:
    Will be the S3 Bucket visible under this account via API (aws-sdk NodeJS package) ?

Solution

  • This is called cross-account set up trust. For this, let's assume the account having the S3 bucket is called A and the account you are creating is called B.

    Now what you need is something like below:

    1. Create a new AWS account, say account B
    2. Create a new role in account B, which will allow to access the bucket in account A, for this you will need the bucket name from account A, which you need access to, the role will look something like
    {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Action": [
                   "s3:GetBucketLocation",
                   "s3:GetObject",
                   "s3:ListBucket",
                   "s3:PutObject"
               ],
               "Resource": [
                   "arn:aws:s3:::bucket-name-from-account-one",
                   "arn:aws:s3:::bucket-name-from-account-one/*",
               ],
               "Effect": "Allow"
           }
       ]
    }
    
    1. Now copy the ARN of this role
    2. Goto AWS account A where the bucket is and add the bucket policy, which will allow the role from AWS account B to access the bucket, the policy will look something like below
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::accountBID:role/your-role" // the ARN of role from account B
                },
                "Action": [
                    "s3:GetBucketLocation",
                    "s3:GetObject",
                    "s3:ListBucket"
                ],
                "Resource": [
                    "arn:aws:s3:::bucket-name-from-account-one",
                    "arn:aws:s3:::bucket-name-from-account-one/*"
                ]
            }
        ]
    }
    

    Now you are almost done. All you need is to attach the role which you created in account B, to the services running in account B which needs to access the S3 bucket from account A. Ref: https://repost.aws/knowledge-center/cross-account-access-s3