Cross-Account S3 Bucket Permissions Setup Guide

This guide provides a quick walkthrough for setting up cross-account permissions for an S3 bucket.

Prerequisites

Merchant Account: Owns the S3 bucket.

Juspay Account : Needs access to the S3 bucket.

Steps to be performed by Merchant

1. Create an S3 Bucket in Merchant Account

• Sign in to the AWS Management Console

• Navigate to S3 and create a bucket.

2. Add a Bucket Policy

• Go to the S3 bucket and select the Permissions tab.

• Click Edit under Bucket Policy.

• Add the following policy, replacing placeholders with your values:

• Save the policy.

Steps to be performed by Juspay

1. Create an IAM Role in Juspay Account

• Sign in to the AWS Management Console for Account B.

• Navigate to IAM and create a role.

• Select Another AWS account and enter Account A's ID.

• Attach the AmazonS3ReadOnlyAccess policy or a custom policy.

• Name and create the role.

2. Attach the Role to Resources in Juspay Account

• Attach the created IAM role to resources like EC2 instances

3. Verify Access

• use the AWS CLI or SDKs to list the contents of the S3 bucket in Merchant Account:aws s3 ls s3://<bucket-name>/ --region <region>

For more detailed instructions, refer to the AWS S3 User Guide.

4. Juspay's External Role

arn:aws:iam::980691203742:role/jp-reports-external

Troubleshooting

KMS Issues

If you encounter access denied errors related to AWS KMS, follow these steps to troubleshoot:

Ensure KMS Key Policy Allows Access:

Update the KMS key policy to allow Account B access.

• Navigate to the KMS console in Account A.

• Select the key and choose Key Policy.

• Add the following policy, replacing placeholders with your values:

Grant KMS Key Access:

Grant access to the key using the AWS KMS Grant command.

Update IAM Role Policy:

Ensure the IAM role in Account B has permissions to use the KMS key.

For more troubleshooting tips, refer to the AWS Knowledge Center.