There are times when you want to retrieve S3 files from one account to another.
In such cases, it is quicker to create a dedicated user who can download the S3 file, but this can also be done by granting access to the destination S3 to the user role of the source account.
When creating a dedicated user, it is likely that a copy of the file is made at hand by downloading the file and then manipulating it, but in the case of granting access privileges, the file can be directly referenced, reducing the time and effort required for copying.
For example, if you want to crawl S3 files of other accounts in AWS Glue, if you create a dedicated user, you need to download the files to the S3 of the Glue account and crawl them, but if you grant access privileges, you can crawl the S3 of other accounts directly. However, in the case of granting access privileges, it is convenient because you can directly crawl the S3 of other accounts.
Also, when creating a dedicated user, the transfer cost is to the account of the party that owns the user, but in the case of granting access privileges, the cost is to the party that acquires the user.
Method
This can be done by registering the user roles that you want to access the bucket with the S3 bucket.
Register access privileges in [S3]-[Bucket to be allowed]-[Access privileges]-[Bucket policy].
For example, the policy to make the entire bucket readable is as follows
{ "Version": "2012-10-17", "Statement": [ { "Sid": "任意の名前", "Effect": "Allow", "Principal": { "AWS": "アクセス権限付与対象のARN" }, "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::バケット名", "arn:aws:s3:::バケット名/*" ] } ] }
Bucket policies can be flexible in granting access privileges, such as granting read as well as write privileges, or restricting access only to specific files or folders or below.
