0

I've been reading multiple posts like this one about how to transfer data with aws cli from one S3 bucket to another using different accounts but I am still unable to do so. I'm sure it's because I haven't fully grasp the concepts of account + permission settings in AWS yet (e.g. iam account vs access key).

I have a vendor that gave me a user called "Foo" and account number "123456789012" with 2 access keys to access their S3 bucket "SourceBucket" in eu-central-1. I created a profile on my machine with the access key provided by the vendor called "sourceProfile". I have my S3 called "DestinationBucket" in us-east-1 and I set the bucket policy to the following.

{ "Version": "2012-10-17", "Id": "Policy12345678901234", "Statement": [ { "Sid": "Stmt1487222222222", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/Foo" }, "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::DestinationBucket/", "arn:aws:s3:::DestinationBucket/*" ] } ] }

Here comes the weird part. I am able to list the files and even download files from the "DestinationBucket" using the following command lines.

aws s3 ls s3://DestinationBucket --profile sourceProfile aws s3 cp s3://DestinationBucket/test ./ --profile sourceProfile

But when I try to put copy anything to the "DestinationBucket" using the profile, I got Access Denied error.

aws s3 cp test s3://DestinationBucket --profile sourceProfile --region us-east-1 upload failed: ./test to s3://DestinationBucket/test An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

Did I set up the bucket policy especially the list of action right? How could ls and cp from destination to local work but cp from local to destination bucket doesn't work?

Community
  • 1
  • 1
Foo Barbaz
  • 1
  • Can you temporarily change the Action to `"s3:*"` to test whether that works? If it does, then there's probably some additional actions that the `aws s3 cp` command needs in the destination bucket. – John Rotenstein Mar 29 '17 at 11:33
  • Yes I've tried s3:* and got the same result – Foo Barbaz Mar 29 '17 at 12:48
  • Then it should definitely work! I suggest temporarily changing it to a Principal of `*` to see whether it works. That will help narrow-down what could be wrong. – John Rotenstein Mar 30 '17 at 10:52

1 Answers1

0

Because AWS make it a way that parent account holder must do the delegation.

Actually, beside delegates access on to that particular access key user, you can choose to do replication on the bucket as stated here.

mootmoot
  • 12,845
  • 5
  • 47
  • 44
  • I thought step 2.3 in the article as suggested by @mootmoot was the missing part but I'm still getting the same `error occurred (AccessDenied) when calling the PutObject operation: Access Denied`. – Foo Barbaz Mar 29 '17 at 13:12
  • @FooBarbaz : you need to read through the whole documentation. Step 2.3 is not enough – mootmoot Mar 29 '17 at 14:05
  • I reversed the method and it works now. Instead of using the account created by the vendor to get the object from their bucket and put the object on my bucket, I am using my account that is able to put object in my bucket. The setup is the same but in reverse (e.g. set up the bucket policy on vendor's bucket that allows my account to access it). No idea why the original method didn't work but don't have time to investigate further. – Foo Barbaz Apr 05 '17 at 12:18
  • @FooBarbaz The delegation part is very tricky. AWS only show the way that works, it doesn't show the otherwise (e.g. Vendor give your a bucky access key). – mootmoot Apr 05 '17 at 15:21