cat > trust-policy.json << 'EOF' { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "partner-external-id" } } }] } EOF aws iam create-role --role-name partner-data-access \ --assume-role-policy-document file://trust-policy.json && \ aws iam attach-role-policy --role-name partner-data-access \ --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess && \ aws iam put-role-policy --role-name partner-data-access \ --policy-name custom-data-policy \ --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::company-data-bucket/shared/*"}]}' && \ rm -f trust-policy.json && \ echo "Cross-account role created successfully"