我使用以下"go"代码(Lambda(将文件"Sample.txt"从一个账户上的 S3 存储桶复制到另一个账户上的 S3 存储桶。它按预期工作,即从源存储桶复制"Sample.txt"并在目标存储桶中上传"NewSample.txt"。但是,我无法公开目标存储桶中的"NewSample.txt"文件。因此,我无法打开/下载该文件。这是因为目标存储桶中"NewSample.txt"文件的所有者仍然与源存储桶中"Sample.txt"文件的所有者相同。 如果我手动在目标存储桶中上传另一个文件,我可以看到新文件具有不同的所有者。您能否告诉我如何将文件从 S3 复制到另一个账户中的 S3(所有者在目标存储桶中(?
package main
import (
"fmt"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3"
)
// main comment
func main() {
svc := s3.New(session.New())
input := &s3.CopyObjectInput{
Bucket: aws.String("target-bucket"),
CopySource: aws.String("/source-bucket/Sample.txt"),
Key: aws.String("NewSample.txt"),
}
result, err := svc.CopyObject(input)
if err != nil {
if aerr, ok := err.(awserr.Error); ok {
switch aerr.Code() {
case s3.ErrCodeObjectNotInActiveTierError:
fmt.Println(s3.ErrCodeObjectNotInActiveTierError, aerr.Error())
default:
fmt.Println(aerr.Error())
}
} else {
fmt.Println(err.Error())
}
return
}
fmt.Println(result)
}
更新#1:
NewSample.txt -->">概述"选项卡 --> 服务器端加密 = 拒绝访问
更新#2:
我使用了以下存储桶策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Test",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<SourceAccountId>:role/<LambdaRole>"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::target-bucket/*",
"arn:aws:s3:::target-bucket"
]
}
]
}
更新#3:
的策略摘要 -arn:aws:iam::<SourceAccountId>:role/<LambdaRole>:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::source-bucket/*",
"arn:aws:s3:::target-bucket/*"
]
}
]
}
更新#4:
正如 Rotenstein @John在他的评论中所说,我在目标存储桶所在的账户中创建了一个 Lambda(使用完全相同的"go"代码但没有 ACL(,并在源存储桶中添加了以下存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Test",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<TargetAccountId>:role/<LambdaRole>"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::source-bucket/*",
"arn:aws:s3:::source-bucket"
]
}
]
}
这一次,在不使用ACL的情况下,我能够从目标帐户访问对象,因为我们从另一个帐户"拉取"对象。此外,本地 AWS(目标(账户这次是 NewSample.txt 文件的所有者。
更新#5:
的策略摘要 -arn:aws:iam::<TargetAccountId>:role/<LambdaRole>:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::source-bucket/*",
"arn:aws:s3:::target-bucket/*"
]
}
]
}
我通过添加ACL解决了它,如下所示:
input := &s3.CopyObjectInput{
Bucket: aws.String("target-bucket"),
CopySource: aws.String("/source-bucket/Sample.txt"),
Key: aws.String("NewSample.txt"),
ACL: aws.String("bucket-owner-full-control"),
}