6

I want to use Datasync to copy data from a single S3 bucket in one account to a single S3 bucket in another account. I'm following this official AWS Datasync blog: https://aws.amazon.com/blogs/storage/how-to-use-aws-datasync-to-migrate-data-between-amazon-s3-buckets/ in the second section "Copying objects across accounts".

I've set up the source and destination buckets, and

  • done the initial steps to "Create a new IAM role and attach a new IAM policy for the source S3 bucket location" and
  • "Add the following trust relationship to the IAM role" (you can see where I mean in the blog by searching for those strings in quotes) but
  • I'm now confused about which account to use to "Open the source S3 bucket policy and apply the following policy to grant permissions for the IAM role to access the objects" and
  • which account to use to run the AWS CLI command "aws sts get-caller-identity" and
  • then the "aws datasync create-location-s3" command straight after that. Am I doing those on the source or destination accounts?

The blog is a bit confusing and unclear on those specific steps and I can't find a simpler guide anywhere.

John Mee
  • 50,179
  • 34
  • 152
  • 186
Alex Kerr
  • 956
  • 15
  • 44

6 Answers6

3

The source S3 bucket policy is attached to the source S3 bucket, so you'll need to log into the source account to edit that.

The next steps have to be done from the CLI. The wording is a bit ambiguous but the key phrase is "ensure you’re using the same IAM identity you specified in the source S3 bucket policy created in the preceding step." The IAM identity referenced in the example S3 bucket policy is arn:aws:iam::DEST-ACCOUNT-ID:role/DEST-ACCOUNT-USER so you need to be authenticated to the destination account for the CLI steps. The aws sts get-caller-identity command just returns the identity used to execute the command, so it's there to confirm that you're using the expected identity rather than being strictly required for setting up the datasync location.

It's not explicitly mentioned in the tutorial but of course the user in the destination account needs appropriate IAM permissions to create the datasync locations and task.

It may help to think of it this way: you need to allow a role in the destination account to access the bucket in the source account, then you're setting up the Datasync locations and tasks in the destination account. So anything related to Datasync config needs to happen in the destination account.

jscott
  • 1,011
  • 8
  • 21
  • 1
    thank you, that got me a lot further. Having logged into the destination account via the CLI as the dest account user, and run the command given in the blog: aws datasync create-location-s3 --s3-bucket-arn arn:aws:s3:::SOURCEBUCKET --s3-config '{"BucketAccessRoleArn":"arn:aws:iam::DEST-ACCOUNT-ID:role/DEST-ACCOUNT-ROLE"}' the response I get is: An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: Please provide a bucket in the sa-east-1 region where DataSync is currently used. Blog says specify source bucket, which I did. Any thoughts please? – Alex Kerr Aug 21 '21 at 15:03
  • Is sa-east-1 the default region for the credentials you're using? S3 buckets have a "home" region. I think you need to specify the region for the S3 source bucket using the `--region` option for `aws datasync create-location-s3` – jscott Aug 22 '21 at 00:14
  • 1
    same issue for me nothing described actually works. – gph Sep 03 '21 at 15:00
  • @gph Hard to help if we don't have an error message to work with, can you be more specific about what you're seeing? Are you getting the region error that Alex described? – jscott Sep 03 '21 at 17:02
  • I added the error below. None of the suggestions above actually work when the description is followed to the dot. Clearly, some unmentioned configs/actions are set that allow the creation of a LocationS3 via the destination account. Please don't suggest adding the region flag again. – gph Sep 06 '21 at 07:36
  • @gph Make sure that both the role you create in the destination account and the user you're using to execute the `create-location-s3` command are listed in the source bucket policy. The user ARN is returned from the `aws sts get-caller-identity` command. Both the role and the user need to be in the source bucket policy. When I omitted the user ARN, I got the "please provide a bucket in the xxx region" error even though I specified the source bucket home region with the `--region` option. – jscott Sep 06 '21 at 23:22
  • Thanks for this answer @jscott. I ran into a similar problem when following the tutorial at https://docs.aws.amazon.com/datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.html. I saw "An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: DataSync location access test failed: could not perform s3:HeadBucket on bucket 829423945581-strapi-en-media-library. Access denied. Ensure bucket access role has s3:ListBucket permission.". I had to run the CLI command while logged in as a user that had assumed the role created in Step 1 of the tutorial. – stevenghines Jun 07 '23 at 21:09
  • AWS also mentions this at https://docs.aws.amazon.com/datasync/latest/userguide/troubleshooting-datasync-locations-tasks.html#troubleshoot-cross-account-s3 – stevenghines Jun 07 '23 at 21:14
2

For me this did the trick but then I got another error

An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: DataSync location access test failed: could not perform s3:GetObject in bucket some-bucket. Access denied. Ensure bucket access role has s3:GetObject permission.

Even though the permissions were correctly set on the bucket/role. The problem was that the bucket was encrypted as well with a KMS key which I easily solved with the solution be found here.
I wish I have seen my answer here as I would have spent at least 1 hour less debugging

Tudor
  • 1,510
  • 1
  • 18
  • 17
1

DOES NOT WORK! - https://aws.amazon.com/blogs/storage/how-to-use-aws-datasync-to-migrate-data-between-amazon-s3-buckets/

1) DESTINATION ROLE

  • create the necessary IAM roles in the account where the destination S3 bucket is located
  • Log in to the destination account and create an IAM role for the AWS DataSync
  DESTINATION-ROLE:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - datasync.amazonaws.com
      Path: '/'
      RoleName: DESTINATION-ROLE
  DESTINATION-POLICY:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: DESTINATION-POLICY
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - s3:GetBucketLocation
              - s3:ListBucket
              - s3:ListBucketMultipartUploads
            Effect: Allow
            Resource: arn:aws:s3:::SOURCEBUCKET
          - Action:
              - s3:AbortMultipartUpload
              - s3:DeleteObject
              - s3:GetObject
              - s3:ListMultipartUploadParts
              - s3:PutObjectTagging
              - s3:GetObjectTagging
              - s3:PutObject
            Effect: Allow
            Resource: arn:aws:s3:::SOURCEBUCKET/*
      Roles:
        - Ref: DESTINATION-ROLE

2) SOURCE S3 POLICY

  • "Copy the ARN for the IAM role you created for the source S3 bucket location.
  • Now, log in to the source account.
  • Open the source S3 bucket policy and apply the following policy to grant permissions for the IAM role
Version: '2012-10-17'
Statement:
  - Sid: BucketPolicyForDataSync
    Effect: Allow
    Principal:
      AWS:
        - arn:aws:iam::DEST-ACCOUNT-ID:role/DESTINATION-ROLE
    Action:
      - s3:GetBucketLocation
      - s3:ListBucket
      - s3:ListBucketMultipartUploads
      - s3:AbortMultipartUpload
      - s3:DeleteObject
      - s3:GetObject
      - s3:ListMultipartUploadParts
      - s3:PutObject
      - s3:GetObjectTagging
      - s3:PutObjectTagging
    Resource:
      - arn:aws:s3:::SOURCEBUCKET
      - arn:aws:s3:::SOURCEBUCKET/*

3) CLI INVOKATION

  • Now, launch the AWS CLI (from the source account)...
aws datasync create-location-s3                       \
    --s3-bucket-arn    'arn:aws:s3:::SOURCEBUCKET'    \
    --region           'us-east-1'                    \
    --s3-config '
        {
            "BucketAccessRoleArn":
                "arn:aws:iam::DEST-ACCOUNT-ID:role/DESTINATION-ROLE"
        }
    '

3.1) ERROR Source Account

An error occurred (AccessDeniedException) when calling the CreateLocationS3 operation: Cross-account pass role is not allowed.

3.2) ERROR Destination Account

An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: Please provide a bucket in the us-east-1 region where DataSync is currently used.
bad_coder
  • 11,289
  • 20
  • 44
  • 72
gph
  • 331
  • 1
  • 3
  • 11
  • The Error I get is: "Invalid request provided: Please provide a bucket in the us-east-1 region where DataSync is currently used." Although, it is deployed in us-east-1 in de destination account – gph Sep 06 '21 at 07:30
  • If it does not work... delete it? – John Mee Jan 16 '23 at 03:49
0

I had the same issue and got a fix tho I was receiving the same error message

"An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: Please provide a bucket in the us-east-2 region where DataSync is currently used".

You need to pass the --region flag and and put the region in which the source bucket is located. So look at the source bucket view and get the region.

bad_coder
  • 11,289
  • 20
  • 44
  • 72
user15927821
  • 13
  • 2
  • I added --region and it still does not work. attempting this in destination account using source bucket region and destination access role – gph Sep 06 '21 at 07:14
  • @bad_coder, clearly, adding the region flag does not cut it – gph Sep 06 '21 at 08:03
  • @gph I just edited the post [on the review queue](https://stackoverflow.com/review) this is not my area of expertise. – bad_coder Sep 06 '21 at 08:32
  • 2
    >> SOLUTION << The role deploying this needs to have at least s3:ListBucket permissions in the SourceS3Policy – gph Sep 07 '21 at 09:33
  • @gph thank you so much! Your comment above saved me. Stupid error from AWS is so confusing and very unhelpful – ben5556 Nov 11 '21 at 00:04
  • @gph can you elaborate more on how you solved it? What you mean by "The role deploying" is it the user that executing the command or which role? I tried a dozen combinations and I still get the cross-account pass role is not allowed error. – Mert Alnuaimi Jan 31 '23 at 12:22
0

What I saw works was to:

  1. Run the CLI command in the destination account
  2. When you are running the CLI command, you should make sure that the ARN of the user/botocore session with which you are running the CLI command has access to the source bucket with, as said by @gph, at least s3:ListBucket. What I found tricky: in case you do not run the CLI command with a user, but using some roles, you need to make sure to grant permission to the botocore session after assuming a role in the source account. Of course, the permission is as short-lived as the botocore session duration, but at least it helps you create the location if you don't want to log in with an IAM user.
Radu Constantin Popa
  • 1
  • 1
  • 1
0

If you are running this via AWS CLI using your own AWS user credentials for the source account, make sure that your user is granted ListBucket permissions in the destination bucket permissions. (You will probably add this from the AWS console in the destination account):

{
  "Sid": "UserDataSyncCreateS3Location",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::112233445566:user/my-user-name"
  },
  "Action": "s3:ListBucket",
  "Resource": "arn:aws:s3:::this-destination-bucket"
}
JoeAC
  • 852
  • 1
  • 8
  • 13