I'm curious if it's possible to grant cross-account access to Amazon S3 using IAM Identity Center (formerly AWS SSO). Specifically, can IAM Identity Center users access an S3 bucket in a different AWS account using only Permission Sets and the bucket policy, without needing to create IAM users or manually set up IAM roles? We're working with different departments—IT, DevOps, and R&D—each in their own AWS accounts under the same AWS Organization, and each department should only access its respective folder in the S3 bucket.
1 Answer
Yes, there's really no difference when it comes to permissions between a role created by IAM Identity Center and any other role. So you can grant access to the S3 bucket the same way you would for any other role.
Thanks for clarifying! I thought that with IAM Identity Center, I was strictly working with Permission Sets and didn't have to create IAM roles myself. Just trying to wrap my head around it all!