I cannot access an S3 bucket in another account after executing the AssumeRole API from Lambda, so please tell me the solution
The issue
I need to access an S3 bucket in Account B after executing the AssumeRole API in Account A's Lambda, but access to Account B's S3 bucket was denied after executing the AssumeRole API. Account B's S3 bucket policy allows access from Account A's Lambda execution role.
I cannot access an S3 bucket in another account after executing the AssumeRole API from Lambda, so please tell me the solution.
The solution
Please specify the ARN of the IAM role that you assume with the AssumeRole API in the S3 bucket policy of the destination account.
When accessing an S3 bucket in another account from Lambda without executing the AssumeRole API, you specify the Lambda execution role in the S3 bucket policy.
However, when the AssumeRole API is executed, it is the IAM role assumed by the AssumeRole API that accesses the S3 bucket.
Therefore, please allow access from the IAM role assumed by the AssumeRole API in the S3 bucket policy of the other account.
As an example, the following bucket policy could be considered.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example-Bucuket-Policy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::012345678901:role/assumerole-role-name"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
}
]
}
