Example Container Policy: Cross-Account Read Access to a Role
The example policy allows access to the GetObject
and
DescribeObject
operations on any object (as specified by
the * at the end of the resource path) that is owned by the <owner acct number>.
It allows this access to any user of the <other acct number> if that account has
assumed the role that is specified in <role name>:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CrossAccountRoleRead", "Effect": "Allow", "Action": ["mediastore:GetObject", "mediastore:DescribeObject"], "Principal":{ "AWS": "arn:aws:iam::<other acct number>:role/<role name>"}, "Resource": "arn:aws:mediastore:<region>:<owner acct number>:container/<container name>/*", } ] }