无法使两个帐户之间的Amazon S3跨区域复制正常工作 [英] Can't get Amazon S3 Cross Region Replication between two accounts to work

问题描述

我希望有人可以帮助我进行Amazon S3跨区域复制查询.我有两个Amazon AWS帐户，每个帐户在不同区域中都有一个存储桶.我想将数据从一个存储桶复制到另一个存储桶，据我了解，这应该是一个简单的创建过程.但是，我真的很挣扎，我不知道自己在做什么错.我已经在线上遵循了很多说明，包括遍历各种AWS教程，看到了很多示例，但是我无法复制数据.

I'm hoping someone can help me with an Amazon S3 Cross Region Replication query. I have two Amazon AWS accounts, each with a bucket in a different region. I want to replicate the data from one bucket to another and from what I understand this should be a simple process to create. However, I'm really struggling and I don't know what I'm doing wrong. I've followed a lot of instructions online including going through various AWS tutorials, seeing lots of examples, but I can't get the data to replicate.

我在两个存储桶上都启用了版本控制，并且没有数据被加密.但是，我在源存储区中确实有一个策略，该策略允许通过引用条件访问源数据，以便只能通过特定域访问数据(在这种情况下为映像).一切正常，我怀疑这可能是限制从目标存储桶进行访问的原因.

I have enabled versioning on both buckets and none of the data is encrypted. However I do have a policy in my source bucket that permits access to the source data through a referral condition so that the data (images in this case) can only be accessed through specific domains. This all works fine and I have a suspicion that this is what is perhaps restricting access from the destination bucket.

我已经按照在线说明设置了复制规则和IAM策略.

I have followed online instructions to set up the replication rules and IAM policies.

所以，我的源存储桶策略是:-

So, my source bucket policy is:-

{
"Version": "2012-10-17",
"Id": "http referrer policy",
"Statement": [
    {
        "Sid": "Allow get requests originated from list",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::SOURCEBUCKET/*",
        "Condition": {
            "StringLike": {
                "aws:Referer": [
                    "http://www.domain1.com/*",
                    "https://www.domain2.com/*",
                    "http://domain3.com/*"
                ]
            }
        }
    }
]

}

并且我的目标存储区策略是:-

and my destination bucket policy is:-

{
"Version": "2008-10-17",
"Id": "S3-Console-Replication-Policy",
"Statement": [
    {
        "Sid": "S3ReplicationPolicyStmt1",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::MYSOURCEACCIDNUMBER:root"
        },
        "Action": [
            "s3:List*",
            "s3:GetBucketVersioning",
            "s3:PutBucketVersioning",
            "s3:ReplicateObject",
            "s3:ReplicateDelete"
        ],
        "Resource": [
            "arn:aws:s3:::DESTINATIONBUCKET",
            "arn:aws:s3:::DESTINATIONBUCKET/*"
        ]
    }
]

}

有人可以建议我(如果需要)如何添加到源桶策略中，以允许从目标桶中进行访问吗?我对此很有信心.

Can anyone advise me on how I can (if I need to) add to the source bucket policy that will enable access from the destination bucket? I'm pretty confident the issue is here.

谢谢.

推荐答案

要测试这种情况，我做了以下事情:

To test this situation, I did the following:

• 在Account-A中使用版本控制创建了Bucket-A
• 在Account-B中使用版本控制创建了Bucket-B
• 在Bucket-A上配置的跨区域复制，选择创建新角色"(见下文)
• 将用户界面中提供的目标存储区策略(与您的匹配，如上)添加到Bucket-B

• Created Bucket-A in Account-A with versioning
• Created Bucket-B in Account-B with versioning
• Configured Cross-Region Replication on Bucket-A, selecting "Create new role" (see below)
• Added the destination bucket policy provided in the UI (matching yours, above) to Bucket-B

该流程创建了一个名为s3crr_role_for_bucket-a_to_bucket-b的角色，该角色包含:

The process created a role called s3crr_role_for_bucket-a_to_bucket-b that contains:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucket-a",
                "arn:aws:s3:::bucket-a/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:GetObjectVersionTagging"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::bucket-b/*"
        }
    ]
}

然后我将文件上传到Bucket-A，并成功复制到Bucket-B.

I then uploaded a file to Bucket-A and it successfully replicated to Bucket-B.

因此，该过程似乎正常进行.如果您遇到困难，请考虑以下几点:

So, the process seems to work fine. If you are having difficulties, some thoughts are:

• 确保没有任何策略可能对存储桶应用DENY
• 检查分配给CRR的 IAM角色，并确保它正在授予权限，如上所示
• 检查对跨区域复制进行故障排除-Amazon Simple Storage Service
• 另请参见跨区域复制状态信息-Amazon Simple存储服务

• Make sure there are no policies that might be applying a DENY against the bucket
• Check the IAM Role that was assigned to CRR and ensure it is granting permissions as shown above
• Check Troubleshooting Cross-Region Replication - Amazon Simple Storage Service
• See also Cross-Region Replication Status Information - Amazon Simple Storage Service

这篇关于无法使两个帐户之间的Amazon S3跨区域复制正常工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！