Problem to change S3 Bucket Policies

braga · December 20, 2023, 3:00pm

Hi fellows, good afternoon. I am trying to change a S3 bucket policy, in order to another account access the data. I have the CanonicalID, so I did the following in the statement:
“Sid”: “QuicksightAccess”,
“Effect”: “Allow”,
“Principal”: {
“CanonicalUser”: “xxx…xxx”

        "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:PutObjectAcl"
        ],
        "Resource": [
            "arn:aws:s3:::xxx/*",
            "arn:aws:s3:::yyy/*"

When I click in the “Save Changes” button, AWS simply ignore the CanonicalUser, and restore the IAM

“Principal”: {
“AWS”: “arn:aws:iam::YYY:root”
}
Every day I need to manually update the ACL grantees, in order to allow this other quicksight account to access the data. I am trying to alter the bucket policy, in order to avoid this manual process. Please, can anyone help me with this issue? Why AWS ignore the CanonicalUser in the bucket policy, but in the ACL everything works fine with the CanonicalID?

DylanM · December 20, 2023, 10:18pm

Hello @braga, I believe you just need 2 different objects within your statement array.

"Statement": [
   {
      "Effect": "Allow",
      "Principle": {
          "AWS": QuickSight Account 1,
       },
      "Action": "",
      "Resource": "",
   },
   {
      "Effect": "Allow",
      "Principle": {
          "AWS": QuickSight Account 2,
       },
      "Action": "",
      "Resource": "",
   }
]

You can also create IAM roles for each of the QuickSight accounts in your AWS Management Console IAM service and add the AmazonS3ReadOnlyAccess policy.

DylanM · December 22, 2023, 4:22pm

Hello @braga, I will mark the above response as the solution for now. If you have further questions please let me know! One last thing to note, while ACLs are still supported by AWS, I know their recommendation is to try utilizing IAM whenever possible instead. Just wanted to give a heads up!

braga · December 22, 2023, 4:42pm

Hi @DylanM , thank you for your suggestion. I am not sure if I understood correctly, in Account 1 I want to give to Account 2 the access to the bucket. In fact, my Quicksight account is related to Account 2, so I want to allow access to the Quicksight through Account 2.
Why would I insert in the bucket policy permissions to Account 1? The bucket is already accessible to Account 1.
Anyway, this suggestion still is not the solution. I am still trying to figure it out.
Thank you very much for you time and help. If you have any other solution, please let me know.
All the best!

DylanM · December 22, 2023, 7:10pm

Hello @braga, so to clarify. You have 2 AWS accounts. You S3 bucket is on account 1, but you only have 1 QuickSight account, which is on account 2. I was under the impression that you permissioned the bucket to a QuickSight account in AWS account 1 and also wanted to add it to a QuickSight account in AWS account 2.

Either way, the process is relatively the same. You must include the account ID for the AWS account that QuickSight is attached to in the bucket policy. Then in QuickSight, you can create an IAM role that will assume access to the S3 bucket or you can allow the QuickSight service role access to the AWS Key Management Service. Here is some documentation to set up cross-account access between S3 and QuickSight.

So permissions need to be updated from both sides, you just don’t need to add 2 QuickSight accounts to the policy.