Cross account bucket access for IAM roles

README.md

For: https://www.reddit.com/r/aws/comments/5jf7fb/permissions_for_lambda_accessing_s3_buckets_in/

This is a little tricky, because it requires several different moving parts, specifically,

• the lambda task that you want to execute the copy must have IAM access to the bucket in the other account. This is not something that was obvious to me to begin with, although my use case was more complicated.
• the bucket policy on the destination account must be set to permit your lambda function to write to that bucket. For my special use cases, I have to upload a new bucket policy daily to the receiving buckets. Alternatively, the destination accounts could probably give your a cross-account IAM role to upload the bucket policy yourself.
• You will likely want to write your objects with the bucket-owner-full-control acl, http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html otherwise, the bucket owner may not be able to download them.

bucket_policy

{
    "Statement": [
		{
			"Sid": "",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<account_id_lambda_is_running_in>:role/<lambda_role>"
			},
			"Action": [
				"s3:PutObject",
				"s3:PutObjectAcl"
			],
			"Resource": "arn:aws:s3:::<destination_bucket>/*"
		}
	]
}

iam_role.json

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::<source_bucket>",
                "arn:aws:s3:::<source_bucket>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<destination_bucket>/*"
            ]
        }
    ]
}