LogoLogo
HomeGitHub RepoBook Demo
version-5.0.x
version-5.0.x
  • Introduction
  • Installation
  • Quick start
  • Mental model
  • Architecture
  • Walkthrough
    • Editing a Package
    • Uploading a Package
    • Installing a Package
    • Getting Data from a Package
    • Working with the Catalog
    • Working with a Bucket
  • API Reference
    • quilt3
    • quilt3.Package
    • quilt3.Bucket
    • CLI, environment
    • Known limitations
  • Catalog
    • Admin UI
    • Configuration
    • Embed
    • Metadata for teams
    • Preview
    • Search & query
    • Visualization & dashboards
    • Local Development Mode
  • Examples
    • Git-like operations for datasets and Jupyter notebooks
  • Advanced
    • Filtering a Package
    • .quiltignore
    • Materialization
    • Working with Manifests
    • S3 Select
    • Workflows
    • Enterprise install
    • S3 Events, EventBridge
    • Cross-account access
  • More
    • Frequently Asked Questions
    • Troubleshooting
    • Contributing
    • Changelog
Powered by GitBook
On this page
  • Object ownership
  • Bucket policies
  • CloudTrail

Was this helpful?

  1. Advanced

Cross-account access

PreviousS3 Events, EventBridgeNextFrequently Asked Questions

Last updated 3 years ago

Was this helpful?

It is often desirable to run the Quilt control plane (CloudFormation stack) in a separate account from your data plane (S3 buckets).

Assume that we have two accounts, ControlAccount (containing the Quilt CloudFormation stack) and DataAccount (containing the desired S3 buckets).

Object ownership

If you want DataAccount to have access to S3 objects put by ControlAccount (and you probably do), you need to ensure that S3 bucket has ObjectOwnership set to BucketOwnerEnforced, see for details.

Bucket policies

To ensure that the Quilt stack in the ControlAccount can access and administer S3 buckets in the DataAccount, you can apply a bucket policy similar to the following to buckets in your DataAccount.

Quilt admins can still control which users do and do not have access to the following bucket via Admin panel Roles and Policies.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::CONTROL_ACCOUNT:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:PutObject",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-in-data-account",
                "arn:aws:s3:::bucket-in-data-account/*"
            ]
        }
    ]
}

CloudTrail

For security, auditing, and user-facing analytics, it is recommended that all S3 buckets in Quilt enable logging via CloudTrail. For cross-account buckets you must provide an existing trail to Quilt when you deploy the CloudFormation template, and you must add the buckets in question to CloudTrail.

docs