How do I create cross account bucket access in S3?

Have a vendor delivering data to an AWS S3 bucket, and need access from our accounts, either via Databricks or our pipelines?

The following guide will walk you through the necessary steps. Instead of providing specific users access, we provide a standard set of roles vendors will need to receive and update policies on their side. Similarly, we must update policies on our accounts in order to grant access to third-party S3 buckets.

Vendor Prerequisites

  • The Bucket ARN where the data will live. Vendor will need to provide this information.
  • Bucket KMS (CMK) arn for encryption at rest.

Request cross account access setup


Create a ticket in Jira:

  1. Provide vendor prerequisites
  2. Provide details about where you plan to access the bucket:
    1. The AWS accounts you intend to access the data.
    2. The systems intended to interact with the data:
      1. databricks
      2. aws cli
      3. ec2 pipelines 

Provide the following ARNs for ncp accounts to the vendor to allow access to the bucket.

Main Tenant ARNS

environment aws account_id enabled regions
link-dev 137458083353 us-east-1
link-qc 742416576876

us-east-1

us-east-2
link-pro 543629742202

us-east-1

us-east-2
system ARNs (link-dev, link-qc, link-pro)
databricks

arn:aws:iam::137458083353:role/databricks-dope

arn:aws:iam::742416576876:role/databricks-dope

arn:aws:iam::543629742202:role/databricks-dope
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.