I have account A with us-east-1 region having IAM role rt-profileRole and my application setup. Account B created S3 bucket in us-west-1 and us-west-2.
I am trying to list object using aws cli with role rtprofile. both bucket have similar bucket policy as below resource having correct bucket arn of bucket to which policy attach.
Problem is I can list object from bucket created in us-west-1 using aws s3 ls from my local system. But I got error when I try same for bucket created in us-west-2 An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
I tired with multiple bucket and concluded that using account A role
- I can access bucket of Account A created in us-east-1
- I can access bucket of account B created in us-west-1
- I can not access bucket of account B created in us-west-2.
Please help me to understand what wrong with west-2 region here.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:role/rt-profileRole"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name/*",
"arn:aws:s3:::bucket-name"
]
}
]
}
