(com.aws.greengrass.Nucleus): Support downloading component artifacts from an S3 bucket on another account

[japsu]

Feature Description
When a component artifact is downloaded from S3, the Nucleus first issues an s3:GetBucketLocation API call followed by s3:GetObject. s3:GetObject to a bucket on another AWS account can be allowed using bucket policies and token exchange role policy. However, s3:GetBucketLocation is only available to the bucket owner. This causes downloading component artifacts stored in an S3 bucket on another AWS account to fail.

Use Case
We have an artifact bucket on one account that is shared across several AWS accounts.

Proposed Solution
Instead of first issuing s3:GetBucketLocation, do s3:GetObject directly

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[MikeDombo]

Hi Santtu,
Thank you for your feedback, we'll look into this option.

[Minipada]

Hi, is there any update on this?
I'm facing this issue while deploying at different customer. Each one has its one organization at the moment. Without this working, we basically need to have artifacts and components on each account, making the CI more complex than needed. Thank you

[shaguptashaikh]

Hi @japsu and @Minipada, thanks for your patience. We found that simply replacing s3:GetBucketLocation with s3:GetObject is not a solution to this, we need to solve it in a way that allows us to perform integrity checks for cross account component artifacts, and it needs further discussion. We will post an update here once we have that.

[gearoid-moore]

Adding a +1 for the value of this.