Amazon S3文件权限,从另一个帐户复制时访问被拒绝 [英] Amazon S3 File Permissions, Access Denied when copied from another account
问题描述
我有一组视频文件,这些视频文件是从一个AWS Bucket从另一个帐户复制到我自己的存储桶中的帐户的.
I have a set of video files that were copied from one AWS Bucket from another account to my account in my own bucket.
当我尝试公开所有文件时,我遇到了所有文件,我收到拒绝访问"错误.
I'm running into a problem now with all of the files where i am receiving Access Denied errors when I try to make all of the files public.
具体地说,我登录到我的AWS账户,进入S3,向下钻取文件夹结构以找到其中一个视频文件.
Specifically, I login to my AWS account, go into S3, drill down through the folder structures to locate one of the videos files.
当我查看此特定文件时,文件上的权限"选项卡未显示分配给任何人的任何权限.没有分配用户,组或系统权限.
When I look at this specificfile, the permissions tab on the files does not show any permissions assigned to anyone. No users, groups, or system permissions have been assigned.
在权限"选项卡的底部,我看到一个小框,上面写着错误:访问被拒绝".我无法更改该文件的任何内容.我无法添加元数据.我无法将用户添加到文件中.我无法将文件设为公开.
At the bottom of the Permissions tab, I see a small box that says "Error: Access Denied". I can't change anything about the file. I can't add meta-data. I can't add a user to the file. I cannot make the file Public.
我是否可以控制这些文件,以便将其公开?有超过15,000个文件/大约60GB的文件.我想避免下载和重新上传所有文件.
Is there a way i can gain control of these files so that I can make them public? There are over 15,000 files / around 60GBs of files. I'd like to avoid downloading and reuploading all of the files.
在这里的人们的帮助和建议下,我尝试了以下方法.我在存储桶中创建了一个名为"media"的新文件夹.
With some assistance and suggestions from the folks here I have tried the following. I made a new folder in my bucket called "media".
我尝试了以下命令:
aws s3 cp s3://mybucket/2014/09/17/thumb.jpg s3://mybucket/media --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers full=emailaddress=my_aws_account_email_address
调用HeadObject操作时,我收到致命错误403:禁止.
I receive a fatal error 403 when calling the HeadObject operation: Forbidden.
推荐答案
一个非常有趣的难题!幸运的是,有一个解决方案.
A very interesting conundrum! Fortunately, there is a solution.
首先,回顾一下:
- 帐户A中的桶A
- 帐户B中的桶B
- 帐户A中的用户将对象复制到存储桶B(已获得相应的权限)
- 存储桶B中的对象仍属于帐户A,并且帐户B无法访问
- Bucket A in Account A
- Bucket B in Account B
- User in Account A copies objects to Bucket B (having been granted appropriate permissions to do so)
- Objects in Bucket B still belong to Account A and cannot be accessed by Account B
我设法重现了这一点,并且可以确认帐户B中的用户无法访问该文件-甚至帐户B中的root用户也无法访问该文件!
I managed to reproduce this and can confirm that users in Account B cannot access the file -- not even the root user in Account B!
幸运的是,事情可以解决. AWS命令行界面(CLI)中的aws s3 cp
命令可以在以下情况下更新文件权限:复制到相同的名称.但是,要触发此操作,还必须更新其他内容,否则会出现此错误:
Fortunately, things can be fixed. The aws s3 cp
command in the AWS Command-Line Interface (CLI) can update permissions on a file when copied to the same name. However, to trigger this, you also have to update something else otherwise you get this error:
此复制请求是非法的,因为它试图在不更改对象的元数据,存储类,网站重定向位置或加密属性的情况下将对象复制到自身.
This copy request is illegal because it is trying to copy an object to itself without changing the object's metadata, storage class, website redirect location or encryption attributes.
因此,可以使用以下命令更新权限:
Therefore, the permissions can be updated with this command:
aws s3 cp s3://my-bucket/ s3://my-bucket/ --recursive --acl bucket-owner-full-control --metadata "One=Two"
- 必须由具有访问对象权限的帐户A用户(例如,最初将对象复制到存储桶B的用户)
- 元数据内容并不重要,但需要强制进行更新
-
--acl bucket-owner-full-control
将授予帐户B的权限,这样您就可以照常使用这些对象 - Must be run by an Account A user that has access permissions to the objects (eg the user who originally copied the objects to Bucket B)
- The metadata content is unimportant, but needed to force the update
--acl bucket-owner-full-control
will grant permission to Account B so you'll be able to use the objects as normal
最终结果:您可以使用的存储桶!
End result: A bucket you can use!
这篇关于Amazon S3文件权限,从另一个帐户复制时访问被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!