I'm currently trying to figure something out.
I have 2 AWS Accounts.
Account A has a bucket called my_awesome_files
.
Account B has users, that would like to be able to see those documents in my_awesome_files
.
I have the following policies and roles setup:
Account A (the one who has the bucket):
role: allow-account-b-access-s3-bucket-role
policy:
{
"Statement": [
{
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my_awesome_files"
]
}
],
"Version": "2012-10-17"
}
policy: (trusted entities)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id_account_b>:root"
},
"Action": "sts:AssumeRole"
}
]
}
Account B (the one who wants to have access to the bucket): Has a user with this attached Policy:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::<account_id_account_a>:role/allow-account-b-access-s3-bucket-role"
}
],
"Version": "2012-10-17"
}
If I read the documentation correctly, this should work.
Now to my questions:
Do I need some special fancy configuration for it to get that it needs to assume that role or to make it work? Currently, the filesystem config looks like this:
'my_awesome_files_bucket_config' => [
'driver' => 's3',
'key' => env('AWS_ACCESS_KEY_ID', 'xxxx'),
'secret' => env('AWS_SECRET_ACCESS_KEY', 'xxxx'),
'region' => env('DEFAULT_REGION', 'eu-central-1'),
'bucket' => env('MY_AWESOME_FILES_BUCKET', 'xxxx')
]
So I kind of figured it out. The policies are correct, but laravel filesystem automatically does not assume roles (obviously) and I didn't find a way to configure it to do so. (This would actually be a nice feature to the Filesystem lib)
So my solution was: using directly the AWS SDK to get the correct credentials, and then fetch the files from s3. This looks like this:
$stsClient = new StsClient([
'region' => 'eu-central-1',
'version' => '2011-06-15',
'credentials' => [
'key' => $access_key_id,
'secret' => $secret_access_key ,
],
]);
$sessionName = "s3-access";
$result = $stsClient->AssumeRole([
'RoleArn' => $ARN,
'RoleSessionName' => $sessionName,
]);
$access_key_id = $result['Credentials']['AccessKeyId'];
$secret_access_key = $result['Credentials']['SecretAccessKey'];
$session_token = $result['Credentials']['SessionToken'];
Then the fetching of the file is as easy as reading documentation:
$s3Client = new S3Client([
'version' => '2006-03-01',
'region' => 'eu-central-1',
'credentials' => [
'key' => $access_key_id,
'secret' => $secret_access_key,
'token' => $session_token
]
]);
$private_file = $s3Client->getObject([
'Bucket' => env('BUCKET_NAME'),
'Key' => 'filename.txt',
]);