# Example 2: Bucket owner granting cross-account bucket permissions
**Important**
Granting permissions to IAM roles is a better practice than granting permissions to individual users. To learn how to do this, see [Understanding cross-account permissions and using IAM roles](example-walkthroughs-managing-access-example4.md#access-policies-walkthrough-example4-overview).
**Topics**
+ [Preparing for the walkthrough](#cross-acct-access-step0)
+ [Step 1: Do the Account A tasks](#access-policies-walkthrough-cross-account-permissions-acctA-tasks)
+ [Step 2: Do the Account B tasks](#access-policies-walkthrough-cross-account-permissions-acctB-tasks)
+ [Step 3: (Optional) Try explicit deny](#access-policies-walkthrough-example2-explicit-deny)
+ [Step 4: Clean up](#access-policies-walkthrough-example2-cleanup-step)
An AWS account—for example, Account A—can grant another AWS account, Account B, permission to access its resources such as buckets and objects. Account B can then delegate those permissions to users in its account. In this example scenario, a bucket owner grants cross-account permission to another account to perform specific bucket operations.
**Note**
Account A can also directly grant a user in Account B permissions using a bucket policy. However, the user will still need permission from the parent account, Account B, to which the user belongs, even if Account B doesn't have permissions from Account A. As long as the user has permission from both the resource owner and the parent account, the user will be able to access the resource.
The following is a summary of the walkthrough steps:
![\[An AWS account granting another AWS account permission to access its resources.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/access-policy-ex2.png)
1. Account A administrator user attaches a bucket policy granting cross-account permissions to Account B to perform specific bucket operations.
Note that administrator user in Account B will automatically inherit the permissions.
1. Account B administrator user attaches user policy to the user delegating the permissions it received from Account A.
1. User in Account B then verifies permissions by accessing an object in the bucket owned by Account A.
For this example, you need two accounts. The following table shows how we refer to these accounts and the administrator users in them. In accordance with the IAM guidelines (see [About using an administrator user to create resources and grant permissions](example-walkthroughs-managing-access.md#about-using-root-credentials)), we don't use the root user credentials in this walkthrough. Instead, you create an administrator user in each account and use those credentials when creating resources and granting them permissions.
| AWS account ID | Account referred to as | Administrator user in the account |
| --- | --- | --- |
| *1111-1111-1111* | Account A | AccountAadmin |
| *2222-2222-2222* | Account B | AccountBadmin |
All the tasks of creating users and granting permissions are done in the AWS Management Console. To verify permissions, the walkthrough uses the command line tools, AWS Command Line Interface (CLI) and AWS Tools for Windows PowerShell, so you don't need to write any code.
## Preparing for the walkthrough
1. Make sure you have two AWS accounts and that each account has one administrator user as shown in the table in the preceding section.
1. Sign up for an AWS account, if needed.
1. Using Account A credentials, sign in to the [IAM console](https://console.aws.amazon.com/iam/home?#home) to create the administrator user:
1. Create user **AccountAadmin** and note the security credentials. For instructions, see [Creating an IAM user in Your AWS account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) in the *IAM User Guide*.
1. Grant administrator privileges to **AccountAadmin** by attaching a user policy giving full access. For instructions, see [Working with Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html) in the *IAM User Guide*.
1. While you are in the IAM console, note the **IAM user Sign-In URL** on the **Dashboard**. All users in the account must use this URL when signing in to the AWS Management Console.
For more information, see [How Users Sign in to Your Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_how-users-sign-in.html) in *IAM User Guide*.
1. Repeat the preceding step using Account B credentials and create administrator user **AccountBadmin**.
1. Set up either the AWS Command Line Interface (AWS CLI) or the AWS Tools for Windows PowerShell. Make sure that you save administrator user credentials as follows:
+ If using the AWS CLI, create two profiles, `AccountAadmin` and `AccountBadmin`, in the config file.
+ If using the AWS Tools for Windows PowerShell, make sure that you store credentials for the session as `AccountAadmin` and `AccountBadmin`.
For instructions, see [Setting up the tools for the walkthroughs](policy-eval-walkthrough-download-awscli.md).
1. Save the administrator user credentials, also referred to as profiles. You can use the profile name instead of specifying credentials for each command you enter. For more information, see [Setting up the tools for the walkthroughs](policy-eval-walkthrough-download-awscli.md).
1. Add profiles in the AWS CLI credentials file for each of the administrator users, `AccountAadmin` and `AccountBadmin`, in the two accounts.
```
[AccountAadmin]
aws_access_key_id = access-key-ID
aws_secret_access_key = secret-access-key
region = us-east-1
[AccountBadmin]
aws_access_key_id = access-key-ID
aws_secret_access_key = secret-access-key
region = us-east-1
```
1. If you're using the AWS Tools for Windows PowerShell, run the following command.
```
set-awscredentials –AccessKey AcctA-access-key-ID –SecretKey AcctA-secret-access-key –storeas AccountAadmin
set-awscredentials –AccessKey AcctB-access-key-ID –SecretKey AcctB-secret-access-key –storeas AccountBadmin
```
## Step 1: Do the Account A tasks
### Step 1.1: Sign in to the AWS Management Console
Using the IAM user sign-in URL for Account A, first sign in to the AWS Management Console as **AccountAadmin** user. This user will create a bucket and attach a policy to it.
### Step 1.2: Create a bucket
1. In the Amazon S3 console, create a bucket. This exercise assumes the bucket is created in the US East (N. Virginia) AWS Region and is named `amzn-s3-demo-bucket`.
For instructions, see [Creating a general purpose bucket](create-bucket-overview.md).
1. Upload a sample object to the bucket.
For instructions, go to [Step 2: Upload an object to your bucket](GetStartedWithS3.md#uploading-an-object-bucket).
### Step 1.3: Attach a bucket policy to grant cross-account permissions to Account B
The bucket policy grants the `s3:GetLifecycleConfiguration` and `s3:ListBucket` permissions to Account B. It's assumed that you're still signed in to the console using **AccountAadmin** user credentials.
1. Attach the following bucket policy to `amzn-s3-demo-bucket`. The policy grants Account B permission for the `s3:GetLifecycleConfiguration` and `s3:ListBucket` actions.
For instructions, see [Adding a bucket policy by using the Amazon S3 console](add-bucket-policy.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"s3:GetLifecycleConfiguration",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
}
]
}
```
------
1. Verify that Account B (and thus its administrator user) can perform the operations.
+ Verify using the AWS CLI
```
aws s3 ls s3://amzn-s3-demo-bucket --profile AccountBadmin
aws s3api get-bucket-lifecycle-configuration --bucket amzn-s3-demo-bucket --profile AccountBadmin
```
+ Verify using the AWS Tools for Windows PowerShell
```
get-s3object -BucketName amzn-s3-demo-bucket -StoredCredentials AccountBadmin
get-s3bucketlifecycleconfiguration -BucketName amzn-s3-demo-bucket -StoredCredentials AccountBadmin
```
## Step 2: Do the Account B tasks
Now the Account B administrator creates a user, Dave, and delegates the permissions received from Account A.
### Step 2.1: Sign in to the AWS Management Console
Using the IAM user sign-in URL for Account B, first sign in to the AWS Management Console as **AccountBadmin** user.
### Step 2.2: Create user Dave in Account B
In the [IAM Console](https://console.aws.amazon.com/iam/), create a user, **Dave**.
For instructions, see [Creating IAM users (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console) in the *IAM User Guide*.
### Step 2.3: Delegate permissions to user Dave
Create an inline policy for the user Dave by using the following policy. You will need to update the policy by providing your bucket name.
It's assumed that you're signed in to the console using **AccountBadmin** user credentials.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Example",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
}
]
}
```
------
For instructions, see [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_inline-using.html) in the *IAM User Guide*.
### Step 2.4: Test permissions
Now Dave in Account B can list the contents of `amzn-s3-demo-bucket` owned by Account A. You can verify the permissions using either of the following procedures.
**Test permissions using the AWS CLI**
1. Add the `UserDave` profile to the AWS CLI config file. For more information about the config file, see [Setting up the tools for the walkthroughs](policy-eval-walkthrough-download-awscli.md).
```
[profile UserDave]
aws_access_key_id = access-key
aws_secret_access_key = secret-access-key
region = us-east-1
```
1. At the command prompt, enter the following AWS CLI command to verify Dave can now get an object list from the `amzn-s3-demo-bucket` owned by Account A. Note the command specifies the `UserDave` profile.
```
aws s3 ls s3://amzn-s3-demo-bucket --profile UserDave
```
Dave doesn't have any other permissions. So, if he tries any other operation—for example, the following `get-bucket-lifecycle` configuration—Amazon S3 returns permission denied.
```
aws s3api get-bucket-lifecycle-configuration --bucket amzn-s3-demo-bucket --profile UserDave
```
**Test permissions using AWS Tools for Windows PowerShell**
1. Store Dave's credentials as `AccountBDave`.
```
set-awscredentials -AccessKey AccessKeyID -SecretKey SecretAccessKey -storeas AccountBDave
```
1. Try the List Bucket command.
```
get-s3object -BucketName amzn-s3-demo-bucket -StoredCredentials AccountBDave
```
Dave doesn't have any other permissions. So, if he tries any other operation—for example, the following `get-s3bucketlifecycleconfiguration`—Amazon S3 returns permission denied.
```
get-s3bucketlifecycleconfiguration -BucketName amzn-s3-demo-bucket -StoredCredentials AccountBDave
```
## Step 3: (Optional) Try explicit deny
You can have permissions granted by using an access control list (ACL), a bucket policy, or a user policy. But if there is an explicit deny set by either a bucket policy or a user policy, the explicit deny takes precedence over any other permissions. For testing, update the bucket policy and explicitly deny Account B the `s3:ListBucket` permission. The policy also grants `s3:ListBucket` permission. However, explicit deny takes precedence, and Account B or users in Account B will not be able to list objects in `amzn-s3-demo-bucket`.
1. Using credentials of user `AccountAadmin` in Account A, replace the bucket policy by the following.
1. Now if you try to get a bucket list using `AccountBadmin` credentials, access is denied.
+ Using the AWS CLI, run the following command:
```
aws s3 ls s3://amzn-s3-demo-bucket --profile AccountBadmin
```
+ Using the AWS Tools for Windows PowerShell, run the following command:
```
get-s3object -BucketName amzn-s3-demo-bucket -StoredCredentials AccountBDave
```
## Step 4: Clean up
1. After you're done testing, you can do the following to clean up:
1. Sign in to the AWS Management Console ([AWS Management Console](https://console.aws.amazon.com/)) using Account A credentials, and do the following:
+ In the Amazon S3 console, remove the bucket policy attached to `amzn-s3-demo-bucket`. In the bucket **Properties**, delete the policy in the **Permissions** section.
+ If the bucket is created for this exercise, in the Amazon S3 console, delete the objects and then delete the bucket.
+ In the [IAM Console](https://console.aws.amazon.com/iam/), remove the `AccountAadmin` user.
1. Sign in to the [IAM Console](https://console.aws.amazon.com/iam/) using Account B credentials. Delete user `AccountBadmin`. For step-by-step instructions, see [Deleting an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting) in the *IAM User Guide*.