Home > OS >  On Copying S3 "CopyObject operation: Access Denied"
On Copying S3 "CopyObject operation: Access Denied"

Time:01-24

I want to copy the contents of an Amazon S3 bucket from Account-A to Account-B.

I tried running this AWS CLI command:

aws s3 cp s3://bucketA s3://bucketB --recursive --acl bucket-owner-full-control

It gives the error:

An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied

I have given s3:getobject and s3:putobject permissions to both the buckets.

CodePudding user response:

If encryption is involved then you'll get an access denied message if you don't have kms permissions to the key used for the bucket/content. Try adding kms permissions if relevant. Also, cloudtrail can provide better error information if you have it enabled.

[edit] One other thing, you need s3:list* to query the buckets to begin with usually, before you narrow down to specific bucket permissions.

Generally try with s3:* and kms:* and if it works, narrow down from there.

CodePudding user response:

When copying data between Amazon S3 buckets that belong to different AWS Accounts, you will need to use a single AWS credential (eg IAM User) that has read permission on the source bucket and write on the destination bucket.

This requires permissions to be configured in both the source account and the destination account. The configuration varies depending upon whether the IAM User belongs to the source account or the destination account.

If using credentials from the source account

  • In the source account, grant the IAM User GetObject permissions on the source bucket (this does not involve creating a Bucket Policy)
  • In the destination account, add a Bucket Policy on the destination bucket that grants PutObject permissions to the IAM User in the source account
  • Copy the files using --acl bucket-owner-full-control to grant ownership to the destination account

If using credentials from the destination account

  • In the source account, add a Bucket Policy on the source bucket that grants GetObject permissions to the IAM User in the destination account
  • In the destination account, grant the IAM User PutObject permissions on the destination bucket (this does not involve creating a Bucket Policy)

Page link:https//www.codepudding.com/os/681390.html

Prev:Signle Sign-on : Microsoft 365 not asking to pick an account
Next:AWS IAM Policy Assistance with Lambda Permissions for SMTP
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding