LogoLogo
HomeGitHub RepoBook Demo
dev
dev
  • About Quilt
  • Architecture
  • Mental Model
  • Metadata Management
  • Metadata Workflows
  • Quilt Platform (Catalog) User
    • About the Catalog
    • Bucket Browsing
    • Document Previews
    • Embeddable iFrames
    • Packaging Engine
    • Query
    • Quilt+ URIs
    • Qurator Omni
    • Search
    • Visualization & Dashboards
    • Advanced
      • Athena
      • Elasticsearch
      • Removing Stacks
  • Quilt Platform Administrator
    • Admin Settings UI
    • Catalog Configuration
    • Cross-Account Access
    • Enterprise Installs
    • quilt3.admin Python API
    • Advanced
      • Package Events
      • Private Endpoints
      • Restrict Access by Bucket Prefix
      • S3 Events via EventBridge
      • SSO Permissions Mapping
      • Tabulator
      • Troubleshooting
        • SSO Redirect Loop
    • Best Practices
      • GxP for Security & Compliance
      • Organizing S3 Buckets
  • Quilt Python SDK
    • Installation
    • Quick Start
    • Editing a Package
    • Uploading a Package
    • Installing a Package
    • Getting Data from a Package
    • Example: Git-like Operations
    • API Reference
      • quilt3
      • quilt3.Package
      • quilt3.Bucket
      • quilt3.hooks
      • Local Catalog
      • CLI, Environment
      • Known Limitations
      • Custom SSL Certificates
    • Advanced
      • Browsing Buckets
      • Filtering a Package
      • .quiltignore
      • Manipulating Manifests
      • Materialization
      • S3 Select
    • More
      • Changelog
      • Contributing
      • Frequently Asked Questions
      • Troubleshooting
  • Quilt Ecosystem Integrations
    • Benchling Packager
    • Event-Driven Packaging
    • Nextflow Plugin
Powered by GitBook
On this page
  • Object ownership
  • Bucket policies
  • Notifications
  • CloudTrail

Was this helpful?

  1. Quilt Platform Administrator

Cross-Account Access

PreviousCatalog ConfigurationNextEnterprise Installs

Last updated 5 months ago

Was this helpful?

It is often desirable to run the Quilt control plane (CloudFormation stack) in a separate account from your data plane (S3 buckets).

Assume that we have two accounts, ControlAccount (containing the Quilt CloudFormation stack) and DataAccount (containing the desired S3 buckets).

Object ownership

If you want DataAccount to have access to S3 objects put by ControlAccount (and you probably do), you need to ensure that S3 bucket has ObjectOwnership set to BucketOwnerEnforced, see for details.

Bucket policies

To ensure that the Quilt stack in the ControlAccount can access and administer S3 buckets in the DataAccount, you can apply a bucket policy similar to the following to buckets in your DataAccount.

Quilt admins can still control which users do and do not have access to the following bucket via Admin panel Roles and Policies.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::CONTROL_ACCOUNT:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAttributes",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAttributes",
                "s3:GetObjectVersionTagging",
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:PutObject",
                "s3:PutObjectTagging",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-in-data-account",
                "arn:aws:s3:::bucket-in-data-account/*"
            ]
        }
    ]
}

Notifications

{
      "Sid": "AWSConfigSNSPolicy",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::CONTROL-ACCOUNT:root"
      },
      "Action": [
        "sns:GetTopicAttributes",
        "sns:Subscribe"
      ],
      "Resource": "SNS_TOPIC_ARN"
}

CloudTrail

For security, auditing, and user-facing analytics, it is recommended that all S3 buckets in Quilt enable logging via CloudTrail. For cross-account buckets you must provide an existing trail to Quilt when you deploy the CloudFormation template, and you must add the buckets in question to CloudTrail.

In order for ControlAccount to use an existing and for a single bucket in DataAccount, add a statement similar to the following to the topic resource policy:

You can now set the SNS topic in the in bucket properties under "Indexing and notifications".

docs
Catalog Admin Panel
correctly configured SNS topic