One of the most common situations in real life with AWS is cross account access to the AWS console. This post is a very simple scenario to demonstrate how that can be implemented.

Scenario: There are a group of developers in a group called “developers-admin-groupin an account called “development” that need to place source code into a bucket in the “production” account so it can be deployed to servers.

  • ID the production and development account numbers

  • Create the bucket in the production account.. let’s call it “prod-source-dropoff”

  • In the production account, create “developers-access-production-policy” policy

{ 
  "Version": "2012-10-17", 
  "Statement": [ 
    { 
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets", 
      "Resource": "arn:aws:s3:::" 
    }, 
    { 
      "Effect": "Allow", 
      "Action": [ 
        "s3:ListBucket", 
        "s3:GetBucketLocation" 
      ], 
      "Resource": "arn:aws:s3:::prod-source-dropoff" 
    }, 
    { 
      "Effect": "Allow", 
      "Action": [ 
        "s3:GetObject", 
        "s3:PutObject", 
        "s3:DeleteObject" 
      ], 
      "Resource": "arn:aws:s3:::prod-source-dropoff/" 
    }
  ]
}
  • In the production, account create “developer-access-production-role” role and assign ‘developers-access-production-policy’

  • Login to developer account

  • Create a role called “sts-developer-production-bucket-access-role” with an inline policy of:

{ 
  "Version": "2012-10-17", 
  "Statement": {
    "Effect": "Allow", 
    "Action": "sts:AssumeRole", 
    "Resource": "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/developer-access-production-role" 
    } }
  • Assign the role to the “developers” group

  • Login into the developer account as a member of the developers group and do a “switch role” and input the account number and the role “developers-access-production-policy” and click “switch role”

  • You should have access to the “prod-source-dropoff” bucket in the production account