All posts
September 8, 20251 min read

A single IAM policy line stood between your Azure app and petabytes of locked-away S3 data.

Azure to AWS S3 integration is simple when you control both sides. But when your Azure workloads only need read-only access to an AWS S3 bucket, things get trickier. You must secure it, automate it, and keep it audit-friendly. You want no write access, no policy drift, and no room for privilege creep. The core is assigning an AWS IAM Role with a trust relationship pointing to your Azure workload’s identity provider. In AWS, create an IAM Role with the AmazonS3ReadOnlyAccess policy or a custom,

Free White Paper

DPoP (Demonstration of Proof-of-Possession) + Azure Policy: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Azure to AWS S3 integration is simple when you control both sides. But when your Azure workloads only need read-only access to an AWS S3 bucket, things get trickier. You must secure it, automate it, and keep it audit-friendly. You want no write access, no policy drift, and no room for privilege creep.

The core is assigning an AWS IAM Role with a trust relationship pointing to your Azure workload’s identity provider. In AWS, create an IAM Role with the AmazonS3ReadOnlyAccess policy or a custom, resource-scoped read policy tied to the bucket ARN. Then configure the role’s trust to allow Azure’s OpenID Connect (OIDC) endpoint or another supported federation method to assume it. This removes the need for static keys and supports secure short-lived credentials.

In Azure, register the AWS OIDC endpoint as an enterprise application or federated identity credentials in your target Azure resource (for example, an Azure Function or App Service). The identity will request temporary credentials by calling AWS Security Token Service (STS) with the role ARN. This avoids long-term secrets stored in configuration and aligns with zero-trust best practices.

Continue reading? Get the full guide.

DPoP (Demonstration of Proof-of-Possession) + Azure Policy: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Keep your policies laser-focused. If the bucket name is fixed, bind the action set to s3:GetObject and s3:ListBucket with explicit resource ARNs. Deny everything else. AWS policy evaluation is additive unless you introduce Deny statements, so be explicit when locking it down.

Audit and monitor. Wire CloudTrail and S3 Access Logs to send to CloudWatch or to your SIEM. Store logs in a separate AWS account if high-trust segmentation is needed. In Azure, track access requests and failed role assumptions through the application’s logging stack.

This cross-cloud read-only pattern works for backups, analytics pipelines, or compliance reviews without risking modification of your S3 data. It keeps AWS as the system of record while letting Azure process, index, or mirror data with minimal friction. Execution matters more than theory here—secure trust relationships, least-privilege IAM, and short-lived credentials are non-negotiable.

If you want to see Azure reading from AWS S3 with read-only roles in a clean, production-ready setup, you can spin it up and watch it run in minutes on hoop.dev.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts