I have 3 AWS accounts. Account A has a lambda (Lambda_Account_A), Account B has a role (Role_Account_B) and Account C has a s3 bucket (S3_Account_C). The resource in account C is configured with a bucket policy that says - Role_Account_B can access this bucket.
If the lambda in Account A assumes Account B role (Role_Account_B) and generate STS credentials, will those credentials have access to Account C resource s3 bucket?
Account B and C has been configured to trust each other.
Account A lambda code:
try {
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(assumeRole) //arn of the role in account B
.withPolicy(policy) // policy contains "arn:aws:s3:::my_bucket"
.withDurationSeconds(3600)
.withRoleSessionName(SESSION_NAME);
// Assume the IAM role
AssumeRoleResult assumeResult = stsClient.assumeRole(roleRequest);
final BasicSessionCredentials temporaryCredentials = new BasicSessionCredentials(
assumeResult.getCredentials().getAccessKeyId(),
assumeResult.getCredentials().getSecretAccessKey(),
assumeResult.getCredentials().getSessionToken());
return temporaryCredentials;
} catch (AWSSecurityTokenServiceException e) {}
Bucket Policy in Account C:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account_No:role/Account_B_role”
},
"Action": [
"s3:Get*",
],
"Resource": "arn:aws:s3:::my_bucket/*”
}
]
}
Role_B Permission policy is
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
It's trust relationship has both the Account A and Account C
