--- page_title: S3 Setup Guide product: JUSPAY Unified Dashboard page_source: https://juspay.io/in/docs/dashboard/docs/payments/s3-setup-guide llms_txt: https://juspay.io/in/docs/llms.txt product_llms_txt: https://juspay.io/in/docs/dashboard/llms.txt --- # Cross-Account S3 Bucket Permissions Setup Guide This guide provides a quick walkthrough for setting up cross-account permissions for an S3 bucket. ## Prerequisites **Merchant Account** : Owns the S3 bucket. **Juspay Account** : Needs access to the S3 bucket. ## Steps to be performed by Merchant ### 1. Create an S3 Bucket in Merchant Account * Sign in to the AWS Management Console * Navigate to S3 and create a bucket. ### 2. Add a Bucket Policy * Go to the S3 bucket and select the Permissions tab. * Click Edit under Bucket Policy. * Add the following policy, replacing placeholders with your values: #### Policy Code Snippet: ```policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS":"arn:aws:iam::980691203742:role/jp-reports-external" }, "Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject", ], "Resource": [ "arn:aws:s3:::", "arn:aws:s3::://*" ] } ] } ``` * Save the policy. ## Steps to be performed by Juspay ### 1. Create an IAM Role in Juspay Account * Sign in to the AWS Management Console for Account B. * Navigate to IAM and create a role. * Select Another AWS account and enter Account A's ID. * Attach the AmazonS3ReadOnlyAccess policy or a custom policy. * Name and create the role. ### 2. Attach the Role to Resources in Juspay Account * Attach the created IAM role to resources like EC2 instances ### 3. Verify Access * use the AWS CLI or SDKs to list the contents of the S3 bucket in Merchant Account:`aws s3 ls s3:/// --region ` For more detailed instructions, refer to the [AWS S3 User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html). ### 4. Juspay's External Role `arn:aws:iam::980691203742:role/jp-reports-external` ## Troubleshooting ### KMS Issues If you encounter access denied errors related to AWS KMS, follow these steps to troubleshoot: #### Ensure KMS Key Policy Allows Access: Update the KMS key policy to allow Account B access. * Navigate to the KMS console in Account A. * Select the key and choose Key Policy. * Add the following policy, replacing placeholders with your values: #### Policy Code Snippet: ```policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::980691203742:role/jp-reports-external" }, "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*" } ] } ``` #### Grant KMS Key Access: Grant access to the key using the AWS KMS Grant command. #### Command Code Snippet: ```command aws kms create-grant \ --key-id \ --grantee-principal arn:aws:iam:::role/ \ --operations Decrypt,DescribeKey ``` #### Update IAM Role Policy: Ensure the IAM role in Account B has permissions to use the KMS key. #### Key Code Snippet: ```key { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:::key/" } ] } ``` For more troubleshooting tips, refer to the [AWS Knowledge Center](https://repost.aws/knowledge-center/cross-account-access-denied-error-s3). --- ## See Also - [Reports](https://juspay.io/in/docs/dashboard/docs/payments/reports) - [SFTP Access Setup](https://juspay.io/in/docs/dashboard/docs/payments/sftp-access-setup)