Intersoft - Intelligent, Innovative, Imaginative
Skip to content
Related Links

Publishing Between AWS Accounts

When using Percussion Cloud or when self-hosting in the cloud with Amazon Web Services there may be scenarios where you need to publish from one account, for example "Account B" to an S3 buck hosted in a different account, for example "Account A".  AWS provides multiple mechanisms to support this type of cross account configuration.  As Percussion CMS is a multi-site system, we recommend using Cross Account IAM Roles for this. 

In this configuration, you will create an IAM Role in each account. 

In  "Account A", where the target bucket is located, create a new IAM Role, for example, "PercussionCMS", and add a policy with the necessary access to the target bucket(s) to the role.

Example S3 Access Policy

{
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::your-bucketname"
]
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::yourbucketname/*"
]
}
],
"Version": "2012-10-17"
}

After adding the S3 policy to the role.  Edit the Trust Policy for the IAM Role and grant the role from account B the permission to assume the 

For Example:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountB:role/PercussionCMS" }, "Action": "sts:AssumeRole" } ] }

In Account B, where the Percussion CMS is running, create an IAM Role that can be assigned to the EC2 server running Percussion. Use a role name that will make it easy to identify in the future, for example: "PercussionCMS".  Edit that role and grant it permission to assume the role that you created in "Account A"

For example:

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::AccountA:role/PercussionCMS" } }

Finally in the security options for for the EC2 instance running Percussion CMS in "Account B", Modify or Assign the IAM role that the instance is using to be the newly created PercussionCMS role.

With this configuration, you can control access to multiple buckets in "Account A" via the single PercussionCMS IAM role.   No restart is required after assigning the role to the Ec2 instance. 

Intersoft Data Labs

5850 Waterloo Road, Suite 245 Columbia, MD 21045

Phone: +1-443-535-1889
Email: percussion.support@intsof.com
Web:  https://www.intsof.com

Social

© 2023 Percussion Software, Inc.