Showing posts from April, 2019

Setup Cross Account S3 Access for Cloudberry Drive

I recently run into a scenario, which one of EC2 instances in our production AWS account (IT) need to access a S3 bucket hosted in a separate account (Marketing). The EC2 instance is a Windows 2008 R2 server. It runs Cloudberry Drive to map the S3 bucket as a local volume for a local application to retrieve the data off it. The easiest way to make this work is to create an IAM user in the and assign it with Access keys. But this is against AWS IAM best practice . Cloudberry Drive does provide the option to use Role for S3 bucket access. Though their documentation is a bit lacking on how to setup this in a cross account scenario. After some Googling, it turns out to be fairly straight forward. Here's how I did it. Let's start with a picture as it helps to clarify where things are in this two account setup. First, in the IT account (111111111111) : 1. Create an IAM role market-s3-role with the following policy: fullaccess-marketing-bucket . The policy allows access to t