I want to export a DDB table from one account directly to an s3 bucket in a different account.

When I start the export I choose "A different AWS account" and specify its bucket.

It fails with this error: Status Code: 403; Error Code: AccessDenied

Obviously I need to give it permission, but I can't find any documentation for this. What/who needs to be granted permission to the bucket? Its obviously a supported feature, but I can't find any explanation for permissions configuration.

CodePudding user response：

This link should cover the particular policies required for both your IAM policy and the S3 bucket policy in the destination:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DataExport.Requesting.html#DataExport.Requesting.Permissions

In particular, pay attention to KMS keys if you are using them on the destination S3 bucket, you will need to grant permissions for the requesting principal on those keys as well. This is a common gotcha!

CodePudding user response：

In the target account where the bucket is where you want to export, you must assign a bucket policy to the bucket. Go to the bucket Permissions tab and attach the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExampleStatement",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789000:user/my-user"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::my-bucket-name/*"
        }
    ]
}

The principal can be a user or a role who initiates the export in the source account. Obviously, the principal needs to have the necessary rights to do an export in the source bucket.