Amazon S3文件权限，从另一个帐户复制时访问被拒绝 [英] Amazon S3 File Permissions, Access Denied when copied from another account

问题描述

我有一组视频文件，这些视频文件是从一个AWS Bucket从另一个帐户复制到我自己的存储桶中的帐户的.

I have a set of video files that were copied from one AWS Bucket from another account to my account in my own bucket.

当我尝试公开所有文件时，我遇到了所有文件，我收到拒绝访问"错误.

I'm running into a problem now with all of the files where i am receiving Access Denied errors when I try to make all of the files public.

具体地说，我登录到我的AWS账户，进入S3，向下钻取文件夹结构以找到其中一个视频文件.

Specifically, I login to my AWS account, go into S3, drill down through the folder structures to locate one of the videos files.

当我查看此特定文件时，文件上的权限"选项卡未显示分配给任何人的任何权限.没有分配用户，组或系统权限.

When I look at this specificfile, the permissions tab on the files does not show any permissions assigned to anyone. No users, groups, or system permissions have been assigned.

在权限"选项卡的底部，我看到一个小框，上面写着错误:访问被拒绝".我无法更改该文件的任何内容.我无法添加元数据.我无法将用户添加到文件中.我无法将文件设为公开.

At the bottom of the Permissions tab, I see a small box that says "Error: Access Denied". I can't change anything about the file. I can't add meta-data. I can't add a user to the file. I cannot make the file Public.

我是否可以控制这些文件，以便将其公开?有超过15,000个文件/大约60GB的文件.我想避免下载和重新上传所有文件.

Is there a way i can gain control of these files so that I can make them public? There are over 15,000 files / around 60GBs of files. I'd like to avoid downloading and reuploading all of the files.

在这里的人们的帮助和建议下，我尝试了以下方法.我在存储桶中创建了一个名为"media"的新文件夹.

With some assistance and suggestions from the folks here I have tried the following. I made a new folder in my bucket called "media".

我尝试了以下命令:

aws s3 cp s3://mybucket/2014/09/17/thumb.jpg s3://mybucket/media --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers full=emailaddress=my_aws_account_email_address

调用HeadObject操作时，我收到致命错误403:禁止.

I receive a fatal error 403 when calling the HeadObject operation: Forbidden.

推荐答案

一个非常有趣的难题！幸运的是，有一个解决方案.

A very interesting conundrum! Fortunately, there is a solution.

首先，回顾一下:

• 帐户A中的桶A
• 帐户B中的桶B
• 帐户A中的用户将对象复制到存储桶B(已获得相应的权限)
• 存储桶B中的对象仍属于帐户A，并且帐户B无法访问

• Bucket A in Account A
• Bucket B in Account B
• User in Account A copies objects to Bucket B (having been granted appropriate permissions to do so)
• Objects in Bucket B still belong to Account A and cannot be accessed by Account B

我设法重现了这一点，并且可以确认帐户B中的用户无法访问该文件-甚至帐户B中的root用户也无法访问该文件！

I managed to reproduce this and can confirm that users in Account B cannot access the file -- not even the root user in Account B!

幸运的是，事情可以解决. AWS命令行界面(CLI)中的aws s3 cp命令可以在以下情况下更新文件权限:复制到相同的名称.但是，要触发此操作，还必须更新其他内容，否则会出现此错误:

Fortunately, things can be fixed. The aws s3 cp command in the AWS Command-Line Interface (CLI) can update permissions on a file when copied to the same name. However, to trigger this, you also have to update something else otherwise you get this error:

此复制请求是非法的，因为它试图在不更改对象的元数据，存储类，网站重定向位置或加密属性的情况下将对象复制到自身.

This copy request is illegal because it is trying to copy an object to itself without changing the object's metadata, storage class, website redirect location or encryption attributes.

因此，可以使用以下命令更新权限:

Therefore, the permissions can be updated with this command:

aws s3 cp s3://my-bucket/ s3://my-bucket/ --recursive --acl bucket-owner-full-control --metadata "One=Two"

• 必须由具有访问对象权限的帐户A用户(例如，最初将对象复制到存储桶B的用户)
• 元数据内容并不重要，但需要强制进行更新
• --acl bucket-owner-full-control将授予帐户B的权限，这样您就可以照常使用这些对象
• Must be run by an Account A user that has access permissions to the objects (eg the user who originally copied the objects to Bucket B)
• The metadata content is unimportant, but needed to force the update
• --acl bucket-owner-full-control will grant permission to Account B so you'll be able to use the objects as normal

最终结果:您可以使用的存储桶！

End result: A bucket you can use!

这篇关于Amazon S3文件权限，从另一个帐户复制时访问被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！