帐户之间的AWS S3传输不起作用 [英] AWS S3 Transfer Between Accounts Not Working
问题描述
我正在尝试将一个帐户的存储桶中的数据复制到我作为管理员的另一个帐户中,该帐户可以访问IAM但不能访问admin,但是我失败了.我什至不能ls源存储桶.
I am trying to copy data in a bucket in one account, in which I have access to an IAM but not admin, to a bucket in another account, in which I am an admin, and failing. I can't even ls the source bucket.
我已遵循AWS和各种在线资源的指示,给自己列出/读取/获取源存储桶的权限,但没有成功.我可以提供详细信息(例如存储桶策略json),但这是AWS文档和其他地方的内容.我所做的工作在我具有管理员访问权限的两个帐户之间起作用.
I've followed the directions from AWS and various sources online to give myself list/read/get permissions on the source bucket, with no success. I can provide the details (e.g., the bucket policy json), but it is what is in the AWS docs and other places. What I've done works between two accounts I have admin access to.
在我在美国(主要是us-west-2)但存储桶位于eu-central-1的意义上,这是多区域".我在aws cli中指定了区域,并在eu-central-1中设置了目标存储桶,但无论如何都无法列出.
This is "multi-region", in the sense that I'm in the US (mainly us-west-2) but the bucket is in eu-central-1. I am specifying the region in the aws cli, and set up a destination bucket in eu-central-1, but can't even list anyway.
推荐答案
您的情况似乎是:
- 帐户A:存储桶A和用户A(访问权限有限)
- 帐户B:桶B和用户B(具有管理员权限)
- Account A: Bucket A and User A (with limited access rights)
- Account B: Bucket B and User B (with admin rights)
您可以将从帐户A的数据推送到存储桶B,也可以使用帐户B将从数据桶A抽取.
You can either push the data from Account A to Bucket B, or you can pull the data from Bucket A using Account B.
从帐户A推送到存储桶B
假设用户A有权访问存储桶A.只需授予用户A写入存储桶B的权限即可.这可以通过对存储桶B的存储桶策略来完成:
Let's assume User A has access to Bucket A. All that's needed is to give User A permission to write to Bucket B. This can be done with a bucket policy on Bucket B:
{
"Id": "PolicyB",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantAccessToUserA",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET-B",
"arn:aws:s3:::BUCKET-B/*"
],
"Principal": "arn:aws:iam::ACCOUNT-A:user/USER-A"
}
]
}
这向存储桶B上的用户A授予 all 所有s3权限.这虽然过多,但大概只是暂时的.
This grants all s3 permissions to User A on Bucket B. That's excessive, but presumably this is only temporary.
然后,用户A将文件从存储桶A复制到存储桶B.例如:
User A would then copy the files from Bucket A to Bucket B. For example:
aws s3 sync s3://BUCKET-A s3://BUCKET-B \
--acl bucket-owner-full-control \
--source-region SOURCE-REGION \
--region DESTINATION-REGION
重要:复制文件时,请确保使用授予bucket-owner-full-control的访问控制列表.这意味着文件由存储桶B的所有者拥有.如果您不这样做,则文件A仍由用户A拥有,即使使用admin,也无法由用户B删除.权利!
Important: When copying the files, be sure to use the Access Control List that grants bucket-owner-full-control. This means that the files become owned by the owner of Bucket B. If you don't do this, the files are still owned by User A and can't be deleted by User B, even with admin rights!
使用帐户B从存储桶A提取
为此,必须授予用户B对存储桶A的访问权限.您需要在帐户A中具有足够的访问权限,才能在存储桶A上添加存储桶策略:
To do this, User B must be granted access to Bucket A. You will need enough access rights in Account A to add a bucket policy on Bucket A:
{
"Id": "PolicyA",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantAccessToUserB",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET-A",
"arn:aws:s3:::BUCKET-A/*"
],
"Principal": "arn:aws:iam::ACCOUNT-B:user/USER-B"
}
]
}
然后,用户B可以跨以下文件复制文件:
Then, User B can copy the files across:
aws s3 sync s3://BUCKET-A s3://BUCKET-B \
--source-region SOURCE-REGION \
--region DESTINATION-REGION
(您可能需要授予更多访问权限,我没有测试上述策略.)
(You might need to grant some more access rights, I didn't test the above policy.)
存储桶位于不同区域的事实不会影响权限,但是会影响发送命令的 where .该命令将发送到目标区域,然后从源区域拉出.
The fact that buckets are in different regions does not impact the permissions, but it does impact where you send the command. The command is sent to the destination region, which then pulls from the source region.
请参阅: AWS CLI s3 sync命令
See: AWS CLI s3 sync command
这篇关于帐户之间的AWS S3传输不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
