如何确保Athena结果S3对象具有bucket-owner-full-control [英] how to ensure that Athena result S3 object with bucket-owner-full-control

问题描述

我们(帐户A)想以编程方式在不同的AWS帐户(帐户B)中触发雅典娜查询(startQueryExecution)，我们使用假定的角色来实现它.完成雅典娜查询后，我们希望该结果应写入到aws帐户s3存储桶(帐户A)中.我们通过设置双方IAM策略以允许B写入A的S3存储桶来做到这一点.

We(account A) would like to use programmatically way to trigger athena query(startQueryExecution) in different aws account ( Account B), we use assumed role to achieve it. After athena query done, we are expecting that result should be written to our aws account s3 bucket (Account A). We managed to do so by setting both side IAM policy to allow B to write to A's S3 bucket.

但是，似乎帐户A中的S3对象仍归帐户B所有，帐户A中的用户/角色无权访问这些对象.

However, it seemed S3 object in account A is still owned by Account B, user/role in account A has no access to those object.

我在想办法解决此问题，但是我找不到任何解决方法的例子

I was thinking either ways to fix this, but I can not find any example of how to do either

以某种方式确保雅典娜使用acl = bucket-owner-full-control写入s3 创建对象后以某种方式将s3对象acl更改为bucket-owner-full-control

somehow make sure athena writing to s3 with acl = bucket-owner-full-control somehow change s3 object acl to bucket-owner-full-control after object created

有什么主意吗?

推荐答案

到目前为止，尚无直接方法可以访问帐户A中编写的s3文件.解决此问题的一种方法是将s3文件编写为帐户B存储桶，并具有一个策略，该策略授予对帐户A的访问权限，从而可以访问帐户B s3存储桶，然后读取/处理文件.非常hacky，但可以正常工作

As of now there is no direct way to give access to the s3 files written in Account A. One way we are solving this problem is writing the s3 file in Account B bucket and have a policy that gives access to Account A access to Account B s3 bucket and then read/process the files. Very hacky but works

这篇关于如何确保Athena结果S3对象具有bucket-owner-full-control的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！