Example container policy: Cross-account read access to a role

The example policy allows access to the GetObject and DescribeObject operations on any object (as specified by the * at the end of the resource path) that is owned by the <owner acct number>. It allows this access to any user of the <other acct number> if that account has assumed the role that is specified in <role name>:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CrossAccountRoleRead",
      "Effect": "Allow",
      "Action": ["mediastore:GetObject", "mediastore:DescribeObject"],
      "Principal":{
        "AWS": "arn:aws:iam::<other acct number>:role/<role name>"},
      "Resource": "arn:aws:mediastore:<region>:<owner acct number>:container/<container name>/*",
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cross-account read access over HTTPS

Cross-account full access to a role