The Instinctive Approach
When first presented with this requirement, the first approach people usually reach is “we’ll create a user on our AWS account and give you access”.
Certainly this is an option but it can lead to some surprises.
Company B goes ahead and creates a user and sends the IAM key pair to Company A. Already we have something less than ideal going on – security. By not using a service role, these secrets aren’t automatically increased. They are secrets, likely having been forwarded through emails with multiple stakeholders involved through the business. If either company A or company B have compliance requirements to rotate secrets, this is rarely done correctly when different companies are involved and so we’ve created a compliance overhead.
But then we get to the crux of the issue. B is already using AWS for the process that writes the data. It needs to read that data from somewhere! Perhaps that’s another one of B’s S3 buckets, perhaps it’s from B’s Kinesis stream or Kafka. Regardless, if B is running on AWS, there could well be 10 different reasons B needs AWS permissions to both A and B’s account, and you can only connect to one AWS ARN at a time! Here lies the unfortunate truth.
More concretely, many readers would be familiar with the aws s3 cp s3:from-bucket/file s3:to-bucket/file command, which is perhaps the most common way to transfer data between two buckets. This command is run with a single ARN connection to AWS.
Alternatively you could perform all the operations you need with one account, and then change account, to perform the operations with the other account, but if what we’re trying to do is transfer large amounts of data, then this could be tricky – especially in a world of Lambdas and containers, many companies don’t even have a process for managing EC2s with large volumes attached. Even more important, we’ve just doubled our amount of work and room for error. If something breaks and needs to start up again, you need to know where you’ve left off, so are you going to do that manually? You’ve just introduced several new problems and significantly increased your operational overhead.