I am trying to use AWS datasync service to copy files from one bucket in one account to another bucket in another account. Also the buckets are in a different region. I get this error message when I create the Datasync task:
Failed to create task
Request ID
23f8844d-7867-4b72-a02c-be52b0f2fz31
Action
datasync:CreateTask
Status code
400
API response
DataSync location access test failed: could not perform s3:HeadBucket on bucket <bucket_name>. Access denied. Ensure bucket access role has s3:ListBucket permission.
I am using the steps from here: https://github.com/awsdocs/aws-datasync-user-guide/blob/main/doc_source/tutorial_s3-s3-cross-account-transfer.md#step-5-create-and-start-a-datasync-task where Account A is the sender account and Account B is the destination bucket account and I have completed all of the tasks before Step 5. I have this ListBucket permission in my destination bucket policy for both "arn:aws:iam::account-a-id:role/name-of-role" and "arn:aws:iam::account-a-id:user/name-of-user". I am logged in as "arn:aws:iam::account-a-id:user/name-of-user" when I create the datasync task. Let me know if I am doing something wrong here.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "DataSyncCreateS3LocationAndTaskAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-a-id:role/name-of-role"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::account-b-bucket",
"arn:aws:s3:::account-b-bucket/*"
]
},
{
"Sid": "DataSyncCreateS3Location",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-a-id:user/name-of-user"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::account-b-bucket"
}
]
}
