You can use S3 bucket from a different AWS account than the AWS account where your file gateway is deployed. For example, your file gateway and file share can be in Account A and you can use S3 bucket and KMS key in AWS Account B. In this post, let’s look into the steps to set this up.
In a single account scenario, when you create the file share on the file gateway, you need to assign an IAM role to the file share. In this IAM role, you would need to setup trust relationship allowing storagegateway.amazonaws.com service to assume the role. IAM role policy should have required permissions on the specified S3 bucket that you are planning to use for the file share. For the trust policy and required permissions, see here. When you create the file share through the AWS management console, you can let the storage gateway to create a new IAM role for the file share as shown in below screen-shot.
In cross account scenario, in addition to the above IAM role in AWS account A, you need to setup an S3 bucket policy on the bucket in Account B. This bucket policy should grant similar permissions to the file share IAM role. To use KMS key from the AWS account B, you need to create the file share using AWS CLI.
Below are the permissions to be granted on the Account B’s S3 bucket policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:role/service-role/<Role-Name>"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetAccelerateConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::AccountB-Bucketname",
"arn:aws:s3:::AccountB-Bucketname/*"
]
}
]
}
As we are going to use the KMS key from the cross account Account B, you need permissions in the Account B KMS key policy and also in Account A file share IAM role policy. So, in addition to the permissions here in the file share IAM policy, you need the following KMS permissions. Ensure that you use customer managed and symmetric KMS keys. You can manage the KMS key policy only for customer managed KMS keys. You cannot manage the permissions through KMS key policy for AWS managed KMS keys.
{
"Sid": "KMSAccess",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:::key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
}
So, the file share IAM role policy should look like this:
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::AccountB-Bucketname",
"Effect": "Allow"
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::AccountB-Bucketname/*",
"Effect": "Allow"
},
{
"Sid":"KMSAccess",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:<region>:<AccountB>:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
}
]
}Your KMS key policy of your customer managed key (CMK) in Account B would need to have the following section, that grants the permissions to the file share IAM role.
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::AccountA:role/service-role/<Role-Name>"},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}If you have already created the file share and didn’t apply KMS encryption at the time of creation, you can use the following CLI command to update the file share configuration with Account B KMS key.
aws storagegateway update-smb-file-share --file-share-arn arn:aws:storagegateway:us-west-2:AccountA:share/share-1234ABCD --kms-encrypted --kms-key arn:aws:kms:us-west-2:AccountB:key/111aa2bb-333c-4d44-5555-a111bb2c33ddYou can now map the file share and test upload the file to the file share. You should see the file uploaded to S3 bucket.
Troubleshooting:
If you are not seeing files uploaded to S3 bucket, you can check Files Failing To Upload CloudWatch metric. You can also use CloudWatch health logs on your file gateway. Check the CloudWatch health logs under the specific share. Check for any permissions errors preventing upload to S3. For example, one of the error messages is below, if there are permissions issue on the file share IAM role. In this case, KMS permissions were missing on the file share IAM role.
{
"severity": "ERROR",
"bucket": "cloudleg",
"prefix": "/",
"roleArn": "arn:aws:iam::111122223333:role/service-role/<rolename>",
"source": "share-1234ABCD",
"type": "S3AccessDenied",
"operation": "S3Upload",
"gateway": "sgw-1234ABCD",
"timestamp": "1661970080011"
}Let us know if you have any questions in the comments section.