AWS Cloudfront distribution based on S3 bucket with cross-account objects getting Access denied
Unfortunately, this is the expected behavior. OAIs can't access objects owned (created) by a different account because bucket-owner-full-control
uses an unusual definition of "full" that excludes bucket policy grants to principals outside your own AWS account -- and the OAI's canonical user is, technically, outside your AWS account.
If another AWS account uploads files to your bucket, that account is the owner of those files. Bucket policies only apply to files that the bucket owner owns. This means that if another account uploads files to your bucket, the bucket policy that you created for your OAI will not be evaluated for those files.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-granting-permissions-to-oai
As @Michael - sqlbot pointed out in his answer, this is the expected behavior.
A possible solution is to perform the copy to the final bucket using credentials from the acc-2
account, so the owner of the objects will be always the acc-2
. There are at least 2 options for doing that:
1) Use Temporary Credentials and AssumeRole AWS STS API: you create an IAM Role in acc-2
with enough permissions to perform the copy to the content
bucket (PutObject
and PutObjectAcl
), then from the acc-1
API you call AWS STS AssumeRole for getting temporary credentials by assuming the IAM Role, and perform the copy using these temporary access keys.
This is the most secure approach.
2) Use Access Keys: you could create an IAM User in acc-2
, generate regular Access Keys for it, and handle those keys to the acc-1
, so the acc-1
uses those "permanent" credentials to perform the copy.
Distributing access keys across AWS accounts is not a good idea from a security standpoint, and AWS discourages you from doing so, but it's certainly possible. Also, from a maintainability point of view can be a problem too - as acc-1
should store the Access Keys in a very safe way and acc-2
should be rotating Access Keys somewhat frequently.