I want to copy the contents of an Amazon S3 bucket from Account-A to Account-B.
I tried running this AWS CLI command:
aws s3 cp s3://bucketA s3://bucketB --recursive --acl bucket-owner-full-control
It gives the error:
An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied
I have given s3:getobject
and s3:putobject
permissions to both the buckets.
CodePudding user response:
If encryption is involved then you'll get an access denied message if you don't have kms permissions to the key used for the bucket/content. Try adding kms permissions if relevant. Also, cloudtrail can provide better error information if you have it enabled.
[edit] One other thing, you need s3:list* to query the buckets to begin with usually, before you narrow down to specific bucket permissions.
Generally try with s3:* and kms:* and if it works, narrow down from there.
CodePudding user response:
When copying data between Amazon S3 buckets that belong to different AWS Accounts, you will need to use a single AWS credential (eg IAM User) that has read permission on the source bucket and write on the destination bucket.
This requires permissions to be configured in both the source account and the destination account. The configuration varies depending upon whether the IAM User belongs to the source account or the destination account.
If using credentials from the source account
- In the source account, grant the IAM User GetObject permissions on the source bucket (this does not involve creating a Bucket Policy)
- In the destination account, add a Bucket Policy on the destination bucket that grants PutObject permissions to the IAM User in the source account
- Copy the files using
--acl bucket-owner-full-control
to grant ownership to the destination account
If using credentials from the destination account
- In the source account, add a Bucket Policy on the source bucket that grants GetObject permissions to the IAM User in the destination account
- In the destination account, grant the IAM User PutObject permissions on the destination bucket (this does not involve creating a Bucket Policy)