Browse objects in the S3 console across accounts

Cross account access to an S3 bucket is a well documented setup. Most guides will cover creating and applying a bucket policy to an S3 bucket and then creating a policy and role to access that bucket from another account. A user or service from that account can then assume that role, provided they’re allowed to by the roles trust relationship to acccess the S3 bucket via the CLI or API.

Most guides stop here but not cover accessing the bucket via the AWS Console allowing the user to browse through objects visually.

In my example Account A will contain the S3 bucket that needs to be accessed and Account B has a user that is able to federate into the account that needs access to the previously mentioned bucket. Here’s a walkthrough the setup the environment like the diagram above.

1. Create an IAM policy in Account B that describes the required actions on the S3 bucket. In my case this means browsing through objects, permitted by s3:ListBucket and downloading an object, permitted by s3:GetObject.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "<bucket-arn>"
        },
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "<bucket-arn>/*"
        }
    ]
}

2. Attach the created policy to an IAM role and ensure the trust relationship permits your user to assume this role.
3. In Account A create a bucket policy on the S3 Bucket that allows the same actions as the previously created policy. The principlal in our bucket policy will be the ARN of the role created in step 2. Note that if the IAM role permits more actions than the bucket policy, only the actions permitted in the bucket policy will take presidence. In our case the bucket policy looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "<role-arn>"
            },
            "Action": "s3:ListBucket",
            "Resource": "<bucket-arn>"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "<role-arn>"
            },
            "Action": "s3:GetObject",
            "Resource": "<bucket-arn>/*"
        }
    ]
}

At this point you can assume the role in Account B via the CLI or API and check that this works.

To access this bucket from the S3 Console, log-in as the User allowed by the trust relationship in Account B and switch roles in the console. You will need the account number for Account B and name of the role previously created to do this.

Once assumed you can access the bucket directly through the URL https://<region>.console.aws.amazon.com/s3/buckets/<bucket-name>. The region should be the region the S3 bucket from Account A is located in. When loaded you can then browse and download the objects within the bucket. That’s it!

If you’re looking for a way to list all shared S3 buckets permitted by the role, there doesn’t seem to be a way to do this. The S3 Console uses the action s3:ListAllMyBuckets to list buckets in the S3 console but this only iterates through “buckets owned by the parent account” according to the documentation. This is why createing the URL is required.