Question

 am using s3 as helm chart repository. I wanted to access/ manage this chart from two separate ec2 instances in different AWS account. both having different roles attached to it.

I create a bucket in AWS Account A, with below command

aws s3api create-bucket --bucket test15-helm-bucket --region "eu-central-1" --create-bucket-configuration LocationConstraint=eu-central-1

initialise helm chart Repo with below command

helm s3 init s3://test15-helm-bucket/charts
Initialized empty repository at s3://test15-helm-bucket/charts

Answer 1

The error notice simply says that READ access to the bucket is refused, yet your API command only says that LIST access was given. Without seeing the associated policy, it is unable to make additional comments on this matter.

You can, however, configure cross-account bucket access instead of specifying the CLI profile on the instance.

To grant access to a role (EC2) in a different account, add a bucket policy to it.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account-B-ID>:role/<ec2-role-name>"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<AccountABucketName>/*"
            ]
        }
    ]
}

To access the bucket in Account-A, add a policy to the EC2 instance's IAM role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::<AccountABucketName>/*"

        }
    ]
}

Account-B should now be able to read/write to the bucket.