How to grant bucket-owner-full-control to a file unloaded from redshift in one account to an s3 bucket in another account?

7
votes

I have a redshift cluster in an AWS account "A" and an S3 bucket in account "B". I need to unload data from redshift account in A to an S3 bucket in B.

I've already provided the necessary bucket policy and role policy to unload the data. The data is also getting unloaded successfully. Now the problem is that the owner of the file created from this unload is account A and the file needs to be used by user B. On trying to access that object I am getting access denied. How do I solve this?

PS: ListBucket and GetObject permissions have been granted by the redshift IAM policy.

1
amazon-web-servicesamazon-s3amazon-redshiftamazon-iam

1 Answers

2
votes

This is what worked for me - Chaining IAM roles.

For example, suppose Company A wants to access data in an Amazon S3 bucket that belongs to Company B. Company A creates an AWS service role for Amazon Redshift named RoleA and attaches it to their cluster. Company B creates a role named RoleB that's authorized to access the data in the Company B bucket. To access the data in the Company B bucket, Company A runs a COPY command using an iam_role parameter that chains RoleA and RoleB. For the duration of the UNLOAD operation, RoleA temporarily assumes RoleB to access the Amazon S3 bucket.

More details here: https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html#authorizing-redshift-service-chaining-roles