amazon web services - Accessing a commercial s3 bucket from a govcloud ec2 instance

Question

I have a s3 bucket inside a commercial aws account. My ec2 instances are inside a govcloud s3 account. Tried to create an IAM role inside the govcloud account and picked the option for "Another AWS Account" and put down the commercial aws account number but it doesn't let me setup this trust. Keeps throwing this error: Invalid principal in policy: "AWS":"[the commercial account number]". If I try to create the same IAM role inside the commercial and have it trust the govcloud, it gives me the same error. I even tried to create a new S3 bucket inside the commercial account and have a bucket policy that allows access from the govcloud account but it complains about the principal being invalid:

"Principal": {
                "AWS": "arn:aws-us-gov:iam::[govcloud account ID]:user/root"
            },

If I try to set up the above trust between two govcloud account or two commercial account it works fine. Was hoping someone could help me please. Thank you in advance

question from:https://stackoverflow.com/questions/65924421/accessing-a-commercial-s3-bucket-from-a-govcloud-ec2-instance

Answer 1

To quote the IAM documentation on How IAM Differs for AWS GovCloud (US):

You cannot create a role to delegate access between an AWS GovCloud (US) account and a standard AWS account.

Also, note that IAM credentials are protected as ITAR-regulated data.