我正在尝试将帐户中的文件复制到另一个存储桶中,但在B帐户中。当我尝试将文件与命令同步
时 aws s3 sync s3://BUCKET_A s3://BUCKET_B
它返回以下输出:
copy failed: s3://BUCKET_A to s3://BUCKET_B An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied
这是在B帐户中创建的用户附加的策略(其中将从bucket a复制文件):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_A",
"arn:aws:s3::: BUCKET_A/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_B",
"arn:aws:s3:::BUCKET_B/*"
]
}
]
}
可能我错过了一些许可?我找不到可以添加我的用户/存储策略
CopyObject
在您的IAM角色策略方面,您需要以下内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_A",
"arn:aws:s3::: BUCKET_A/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_B",
"arn:aws:s3:::BUCKET_B/*"
]
}
]
}
您需要将这些权限添加到buck_b
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::your_iam_policy"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
],
"Resource": [
"arn:aws:s3:::BUCKET_B"
]
}
在我的情况下,我对某些对象没有任何问题,但是其中一个对象中有相同的copyObject错误。我还使用了交叉算桶之间的同步命令。
所以我看了AWS CloudTrail中的事件历史记录(因为我已经设置了CloudTrail) - 这有助于查看API调用的内容。但是,我没有启用S3存储桶和对象的事件记录,因此我尝试了几个更改,从PUT*开始。然后,我迅速缩小到我需要的那个。
最终,让我将此权限添加到我的存储策略: s3:putobjectTagging 。
希望这也可以帮助您!
您缺少此处概述的s3:GetObjectTagging
和s3:PutObjectTagging
权限:https://medium.com/collaborne-engineering/s3-copyobject-access-access-eccess-denied-5f7a6fe0393e。/div>
我遵循此方法
https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/
将来自源AWS帐户存储库的对象复制/同步对象到目标AWS帐户存储桶。它对我效果很好。
您需要在B帐户上使用IAM用户在本地计算机上配置AWS CLI。
您可以在本地CLI配置上拥有尽可能多的配置文件。有关更多详细信息,请参阅AWS CLI配置。
现在复制时,将 - profile参数添加到您的同步命令中。例如。
aws s3 sync s3://BUCKET_A s3://BUCKET_B --profile <NEW-AWS-CLI-PROFILE-FOR-ACCOUNT-B>
这可能与对象的加密在 destination bucket中有关。查看您粘贴的IAM角色,看起来所有所需的权限均已授予。
要解决此问题,请运行相同的命令并将其添加到--sse AES256
。
aws s3 sync s3://BUCKET_A s3://BUCKET_B --sse AES256
要检查目标存储桶的加密设置,您必须检查包含条件的存储措施策略:
...
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
...
您可以在tab Permissions
=&gt中找到存储策略;S3 GUI中的Bucket policy
,一旦您进入目标桶。
在我的情况下,它有效。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:PutObjectVersionAcl",
"s3:GetObjectTagging",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::source-bucket/*",
"arn:aws:s3:::destination-bucket/*",
"arn:aws:s3:::source-bucket",
"arn:aws:s3:::destination-bucket"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
请注意,我正在基于米歇尔的答案。
在我的情况下,我还需要除S3:getObject和s3:listObject外,我需要拥有 s3:getObjectTagging 许可
用于进一步参考
总结我的源存储库策略如下:
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::destination-account:root"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectTagging"
],
"Resource": [
"arn:aws:s3:::source-bucket/*",
"arn:aws:s3:::source-bucket"
]
}
也请记住,我在目标帐户中有AdminstratorAccess
,因此我不必在目标用户的IAM角色中附加任何内容
- 禁用块公共访问
- 将遗愿未加密
- 查找您的公共IP:
- 将以下策略添加到S3桶
{
"Version": "2008-10-17",
"Id": "Policy1357935677554",
"Statement": [
{
"Sid": "Stmt1357935647218",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::YOUR-S3-BUCKET-NAME",
"Condition": {
"IpAddress": {
"aws:SourceIp": "YOUR-PUBLIC-IP/32"
}
}
},
{
"Sid": "Stmt1357935676138",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::YOUR-S3-BUCKET-NAME/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "YOUR-PUBLIC-IP/32"
}
}
}
]
}