I have a system with 2 AWS Accounts, and I want an IAM group on account 2 to access a bucket on account 1.
Account 1 has a large car database and an S3 bucket with files for each car.
Account 2 does the communication (SNS/SQS) with a lot of physical machines, which each has their own IAM user, but are all a member of the robots-group.
I want the machines with IAM users in Account 2 to be able to access files in an S3 bucket on Account 1.
But apparently, a group cannot be used as a principal. What other options do I have here, if I want a simple setup where I don't need to update the bucket policy in Account 1 every time an IAM user is added in the robots-group in Account 2?
This is the policy I'm trying to apply to my bucket:
{
"Id": "Policy1683211206707",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1683211201070",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::company-vehicle-configurations-test/*",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:group/robots-group"
]
}
}
]
}
And the result:
"errorType": "MalformedPolicy",
"errorMessage": "Invalid principal in policy",
In the bucket policy, you can allow the Account2 account principal arn:aws:iam::1234567890:root. This allows any user, role, or group in Account2 to interact with the bucket, only if their IAM policies allow that access.
This essentially delegates further access control to the IAM policies attached to Account2 users, groups and roles. Which is what you essentially want, since you don't want Account1 to own the group's permissions, nor to have to enumerate Account1's users allowed to access the bucket.