"Service": "access-grants.s3.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity", "sts:SetContext" ] } { "Effect":"Allow", "Resource": "arn:aws:s3:::*", "Condition":{ "StringEquals": { "aws:ResourceAccount": "$account_id” }, "ArnEquals": { "s3:AccessGrantsInstanceArn": "$instance_arn" } } } Trust Policy Identity / Role Policy