Cross account access fails with 'Access Denied'

[kiyose]

We have a billing account where the CUR is generated and stored, and we have a second utility account in which we want to run the dashboard processing. When accessing the s3 bucket from our utility account we receive an 'Access Denied' response from s3.

In speaking with s3 support the reason for this is that the CUR objects are actually owned by an AWS Managed Account, not the bucket owner. AWS sets an explicit object ACL to grant full access to the bucket owner but that does not allow us to use bucket policy to delegate to another account.

Their suggested solution is to either 1) run a lambda that updates the Object ACL to allow explicit access from our utility account by canonical user (account) ID or 2) set up a role within the billing account that can be assumed by the CUR processing instance.

Option 1 is a hack and goes against our policy.

Pursuing option 2 will require that an explicit role ARN be configured as an optional input into the Cfn template and then plumbed into both the userdata on the instance and into the arguments being passed into https://github.com/aws-quickstart/cur-dashboard/blob/master/scripts/go/analyzeCUR/analyzeCUR.go#L709 . The underlying library already has support for assuming a role in exactly this way.

See definition: https://github.com/aws-quickstart/cur-dashboard/blob/master/scripts/go/curconvert/curconvert.go#L91 and usage here: https://github.com/aws-quickstart/cur-dashboard/blob/master/scripts/go/example/curcli/curcli.go#L122

More information on the exact issue here: https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/