S3 在不同帐户的存储桶之间移动文件? [英] S3 moving files between buckets on different accounts?
问题描述
我正在为拥有 2 个独立 AWS 账户的客户做一些工作.我们需要将其 S3 帐户之一上的存储桶中的所有文件移动到第二个帐户的新存储桶中.
我们认为 s3cmd 会允许这样做,使用以下格式:
s3cmd cp s3://bucket1 s3://bucket2 --recursive但是这只允许我使用一个帐户的密钥,而我不能指定第二个帐户的帐户.
有没有办法在不下载文件并将它们再次上传到第二个帐户的情况下执行此操作?
您不必向所有人开放权限.在源和目标上使用以下存储桶策略,以使用 IAM 用户从一个账户中的存储桶复制到另一个存储桶
要复制的存储桶:
SourceBucket要复制到的存储桶:
DestinationBucket源 AWS 账户 ID:
XXXX–XXXX-XXXX源 IAM 用户:
src–iam-user
以下策略意味着 - IAM 用户 - XXXX–XXXX-XXXX:src–iam-user 具有 s3:ListBucket 和 s3:GetObject 权限 on SourceBucket/* 和 s3:ListBucket 和 s3:PutObject 权限 DestinationBucket/*
在 SourceBucket 上,策略应该是这样的:
<代码>{"Id": "Policy1357935677554",陈述": [{"Sid": "Stmt1357935647218","动作": ["s3:ListBucket"],"Effect": "允许","Resource": "arn:aws:s3:::SourceBucket","Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}}, {"Sid": "Stmt1357935676138","动作": ["s3:GetObject"],"Effect": "允许","Resource": "arn:aws:s3:::SourceBucket/*","Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}}]}在 DestinationBucket 上的策略应该是:
<代码>{"Id": "Policy1357935677555",陈述": [{"Sid": "Stmt1357935647218","动作": ["s3:ListBucket"],"Effect": "允许","Resource": "arn:aws:s3:::DestinationBucket","Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}}, {"Sid": "Stmt1357935676138","动作": ["s3:PutObject"],"Effect": "允许","Resource": "arn:aws:s3:::DestinationBucket/*","Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}}]}要运行的命令是 s3cmd cp s3://SourceBucket/File1 s3://DestinationBucket/File1
I'm doing some work for a client that has 2 separate AWS accounts. We need to move all the files in a bucket on one of their S3 accounts to a new bucket on the 2nd account.
We thought that s3cmd would allow this, using the format:
s3cmd cp s3://bucket1 s3://bucket2 --recursive
However this only allows me to use the keys of one account and I can't specify the accounts of the 2nd account.
Is there a way to do this without downloading the files and uploading them again to the 2nd account?
You don't have to open permissions to everyone. Use the below Bucket policies on source and destination for copying from a bucket in one account to another using an IAM user
Bucket to Copy from:
SourceBucketBucket to Copy to:
DestinationBucketSource AWS Account ID:
XXXX–XXXX-XXXXSource IAM User:
src–iam-user
The below policy means – the IAM user - XXXX–XXXX-XXXX:src–iam-user has s3:ListBucket and s3:GetObject privileges on SourceBucket/* and s3:ListBucket and s3:PutObject privileges on DestinationBucket/*
On the SourceBucket the policy should be like:
{
"Id": "Policy1357935677554",
"Statement": [{
"Sid": "Stmt1357935647218",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": "arn:aws:s3:::SourceBucket",
"Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
}, {
"Sid": "Stmt1357935676138",
"Action": ["s3:GetObject"],
"Effect": "Allow",
"Resource": "arn:aws:s3:::SourceBucket/*",
"Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
}]
}
On the DestinationBucket the policy should be:
{
"Id": "Policy1357935677555",
"Statement": [{
"Sid": "Stmt1357935647218",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": "arn:aws:s3:::DestinationBucket",
"Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
}, {
"Sid": "Stmt1357935676138",
"Action": ["s3:PutObject"],
"Effect": "Allow",
"Resource": "arn:aws:s3:::DestinationBucket/*",
"Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
}]
}
Command to be run is s3cmd cp s3://SourceBucket/File1 s3://DestinationBucket/File1
这篇关于S3 在不同帐户的存储桶之间移动文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
