Accessing a s3 bucket with access key id and secret

Question

Is it possible to access an S3 bucket from another account using the access key ID and secret access key?

I know that the keys are typically for API/CLI access, but I was wondering if I could use it from my account using those two alone.

A workaround would be to run a CLI on AWS and repeatedly sync two folders.

Edit: If I don't have access to the original account, how would I proceed then? I have the keys, and want to add it to a second account - but cant make any changes to the first

Answer 1

Is it possible to access an S3 bucket from another account using the access key ID and secret access key?

Yes, if it is configured. Access to S3 is S3 bucket is determined by who you are, your IAM policy, what action you need to and what is the bucket configuration is(policy, permissions, block public access, ...).

You can read the documentation to see what are the different factors affecting the access for a certain request: https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-s3-evaluates-access-control.html

To configure cross account access, you have three choices:

• Configure bucket policy that allows certain or all API actions from another account or principals in that account. This is very flexible and allows almost all S3 bucket actions while staying secure.
• Configure ACL policy that allows another account. This is for before bucket policy existed, however it may be simpler to use in some cases
• Configure cross account IAM roles. This is basically providing permissions to another AWS account. This is the most flexible than the other options as it can include any action.

The above 3 ways are documented here: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

Now while in the document using policy is for programmatic access only, as of right now you can also use it in the console, although this is not a documented feature. If you have access via bucket policy, you can simply open the bucket in the console by typing the bucket name in the URL(replace BUCKET-NAME with your bucket name): https://s3.console.aws.amazon.com/s3/buckets/BUCKET-NAME

Another question would be how to access the console if you only have a IAM access key id and secret. To access the console your IAM user needs a password and you can't use the IAM user without it, however if you enough permissions you can set a password for yourself. Another thing you can is that if there's a IAM role you can assume into(if you have enough permissions you can create your own), then you can simply use a tool that can generate a console link using federation API. Here's a few I'm aware of:

• https://github.com/trek10inc/awsume-console-plugin
• https://github.com/jnawk/aws-electron
• https://github.com/NetSPI/aws_consoler