Helm s3 plugin for cross account access

7/28/2019

I am using s3 as helm chart repository. I wanted to access/ manage this chart from two separate ec2 instances in different AWS account. both having different roles attached to it.

I create a bucket in AWS Account A, with below command

aws s3api create-bucket --bucket test15-helm-bucket --region "eu-central-1" --create-bucket-configuration LocationConstraint=eu-central-1

initialise helm chart Repo with below command

helm s3 init s3://test15-helm-bucket/charts
Initialized empty repository at s3://test15-helm-bucket/charts

Got the canonical ID of the account that own the object

aws s3api list-objects --bucket test15-helm-bucket --prefix charts
{
    "Contents": [
        {
            "ETag": "\"xxxxxxxxxxxxxx\"",
            "LastModified": "xxxxxxxxxxxxxx",
            "StorageClass": "STANDARD",
            "Size": 69,
            "Owner": {
                "ID": "ee70xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            },
            "Key": "charts/index.yaml"
        }
    ]
}

Added helm repo as below

helm repo add testing s3://test15-helm-bucket/charts
"testing" has been added to your repositories 

Now from Account B ec2-instance, I configured Cross account Roles to assume the Role attached to Account A ec2-instance.

.i.e.

[profile helm]
role_arn = arn:aws:iam::AccountA:role/roleName
credential_source = Ec2InstanceMetadata
region = eu-central-1

then configuring below environment variable

export AWS_PROFILE=helm

I ran below command to get canonical ID of the account from Machine In AWS account B, and I got the expected result of canonical ID of the account A

aws s3api list-buckets --query Owner.ID

However helm command to add repo on this machine fails with

helm repo add testing s3://test15-helm-bucket/charts
fetch from s3: fetch object from s3: AccessDenied: Access Denied
        status code: 403, request id: xxxxxxxxx, host id: xxxxxxxxxxxxxxxxxxxxxxxxxxx
Error: Looks like "s3://test15-helm-bucket/charts" is not a valid chart repository or cannot be reached: plugin "bin/helms3" exited with error

it looks like helm s3 plugin is not able to assume role in Account A. however AWS command does.

How can I solve this problem.

-- Ruchir Bharadwaj
amazon-iam
amazon-s3
kubernetes-helm

1 Answer

8/1/2019

The error message only indicates that READ access is denied, however your API command only shows us that you granted LIST access to the bucket. It is not possible to comment further on this issue without seeing the attached policy.

However, you can also try configuring cross-account bucket access and skip configuring CLI profile on the instance.

  1. Attach a bucket policy to your bucket to give access to a role (EC2) in another account.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account-B-ID>:role/<ec2-role-name>"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<AccountABucketName>/*"
            ]
        }
    ]
}
  1. Attach a policy to the IAM role of the the EC2 instance in Account-B to access the bucket in Account-A.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::<AccountABucketName>/*"

        }
    ]
}

You should now be able to read/write to the bucket from Account-B.

aws s3 cp s3://<bucket>/<anobject> .
-- Vikyol
Source: StackOverflow