Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to grant bucket-owner-full-control to a file unloaded from redshift in one account to an s3 bucket in another account?

I have a redshift cluster in an AWS account "A" and an S3 bucket in account "B". I need to unload data from redshift account in A to an S3 bucket in B.

I've already provided the necessary bucket policy and role policy to unload the data. The data is also getting unloaded successfully. Now the problem is that the owner of the file created from this unload is account A and the file needs to be used by user B. On trying to access that object I am getting access denied. How do I solve this?

PS: ListBucket and GetObject permissions have been granted by the redshift IAM policy.

like image 917
doctore Avatar asked Jul 05 '18 16:07

doctore


People also ask

Can you transfer ownership of an S3 bucket?

You can't transfer Amazon S3 bucket ownership between AWS accounts because the bucket is always owned by the account that created it. Instead, you can copy Amazon S3 objects from one bucket to another so that you give ownership of the copied objects to the destination account.


1 Answers

This is what worked for me - Chaining IAM roles.

For example, suppose Company A wants to access data in an Amazon S3 bucket that belongs to Company B. Company A creates an AWS service role for Amazon Redshift named RoleA and attaches it to their cluster. Company B creates a role named RoleB that's authorized to access the data in the Company B bucket. To access the data in the Company B bucket, Company A runs a COPY command using an iam_role parameter that chains RoleA and RoleB. For the duration of the UNLOAD operation, RoleA temporarily assumes RoleB to access the Amazon S3 bucket.

More details here: https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html#authorizing-redshift-service-chaining-roles

like image 107
doctore Avatar answered Sep 22 '22 11:09

doctore