我的代码将对象从账户A复制到账户B
import json
import boto3
from datetime import datetime, timedelta
def lambda_handler(event, context):
# TODO implement
SOURCE_BUCKET = 'Bucket-A'
DESTINATION_BUCKET = 'Bucket-B'
s3_client = boto3.client('s3')
# Create a reusable Paginator
paginator = s3_client.get_paginator('list_objects_v2')
# Create a PageIterator from the Paginator
page_iterator = paginator.paginate(Bucket=SOURCE_BUCKET)
# Loop through each object, looking for ones older than a given time period
for page in page_iterator:
if "Contents" in page:
for object in page['Contents']:
if object['LastModified'] < datetime.now().astimezone() - timedelta(minutes=5): # <-- Change time period here
print(f"Moving {object['Key']}")
# Copy object
s3_client.copy_object(
ACL='bucket-owner-full-control',
Bucket=DESTINATION_BUCKET,
Key=object['Key'],
CopySource={'Bucket':SOURCE_BUCKET, 'Key':object['Key']}
)
# Delete original object
s3_client.delete_object(Bucket=SOURCE_BUCKET, Key=object['Key'])
else:
print("No Contents key for page!")
lambda函数角色策略为:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject*",
"s3:List*",
"s3:GetObject*",
"s3:GetBucketLocation",
"s3:DeleteObject*"
],
"Resource": [
"arn:aws:s3:::Bucket-A/*",
"arn:aws:s3:::bucket-A"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-B/*"
}
]
}
aws s3api get-object-acl --bucket bucket-b --key key1
{
"Owner": {
"DisplayName": "accountA",
"ID": "MYIDA"
},
"Grants": [
{
"Grantee": {
"DisplayName": "accountA",
"ID": "MyIDA",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee": {
"DisplayName": "accountb",
"ID": "MyIDB",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
从账户A复制到账户B复制到账户B-时,如何更改对象的所有者
{
"Owner": {
"DisplayName": "accountB",
"ID": "MYIDB"
},
我将首先解决您的问题,然后为用例提供更好的方法。
首先,正如您正确识别的那样,您要查找的是对象ACL。Boto3为您提供了检索和更新对象ACL的方法,从而为对象所有者提供了检索对象ACL、对象所有者以及更新ACL的方式。在这里的官方文档中阅读更多关于这方面的信息。要阅读有关对象ACL的信息,可以参考此处的文档。
作为参考,这里有一个示例请求语法:
response = object_acl.put(
ACL='private'|'public-read'|'public-read-write'|'authenticated-read'|'aws-exec-read'|'bucket-owner-read'|'bucket-owner-full-control',
AccessControlPolicy={
'Grants': [
{
'Grantee': {
'DisplayName': 'string',
'EmailAddress': 'string',
'ID': 'string',
'Type': 'CanonicalUser'|'AmazonCustomerByEmail'|'Group',
'URI': 'string'
},
'Permission': 'FULL_CONTROL'|'WRITE'|'WRITE_ACP'|'READ'|'READ_ACP'
},
],
'Owner': {
'DisplayName': 'string',
'ID': 'string'
}
},
GrantFullControl='string',
GrantRead='string',
GrantReadACP='string',
GrantWrite='string',
GrantWriteACP='string',
RequestPayer='requester',
VersionId='string'
)
现在有一个更好的方法来实现这一点。看看AWS跨区域复制。在这里的公告文章中阅读更多关于它的信息或参阅文档。
使用文档中的描述:
复制允许在AmazonS3存储桶中自动异步复制对象。为对象复制配置的Bucket可以由同一个AWS帐户拥有,也可以由不同的帐户拥有。您可以在不同的AWS区域之间或在同一个区域内复制对象。
在不同所有权下维护对象副本——无论谁拥有源对象,您都可以告诉Amazon S3将副本所有权更改为拥有目标存储桶的AWS帐户。这被称为所有者覆盖选项。您可以使用此选项来限制对对象复制副本的访问。
从本质上讲,您可以使用生命周期策略并自动化整个过程。您还可以配置要使用新所有者创建的目标对象。这样一来,您就可以将管理工作转移到AWS,并使流程变得被动。从长远来看,这将帮助您节省人力成本和资源使用方面的成本。