Amazon S3 文件权限,从另一个账户复制时拒绝访问 [英] Amazon S3 File Permissions, Access Denied when copied from another account
问题描述
我有一组视频文件,这些文件是从一个 AWS 存储桶从另一个账户复制到我自己存储桶中的账户的.
I have a set of video files that were copied from one AWS Bucket from another account to my account in my own bucket.
我现在遇到了所有文件的问题,当我尝试将所有文件设为公开时,我收到拒绝访问"错误.
I'm running into a problem now with all of the files where i am receiving Access Denied errors when I try to make all of the files public.
具体来说,我登录我的 AWS 账户,进入 S3,深入文件夹结构以找到其中一个视频文件.
Specifically, I login to my AWS account, go into S3, drill down through the folder structures to locate one of the videos files.
当我查看这个特定文件时,文件上的权限选项卡没有显示分配给任何人的任何权限.尚未分配用户、组或系统权限.
When I look at this specificfile, the permissions tab on the files does not show any permissions assigned to anyone. No users, groups, or system permissions have been assigned.
在权限"选项卡的底部,我看到一个小框,上面写着错误:拒绝访问".我无法更改该文件的任何内容.我无法添加元数据.我无法将用户添加到文件中.我无法将文件设为公开.
At the bottom of the Permissions tab, I see a small box that says "Error: Access Denied". I can't change anything about the file. I can't add meta-data. I can't add a user to the file. I cannot make the file Public.
有什么方法可以让我控制这些文件,以便我可以将它们公开?有超过 15,000 个文件/大约 60GB 的文件.我想避免下载和重新上传所有文件.
Is there a way i can gain control of these files so that I can make them public? There are over 15,000 files / around 60GBs of files. I'd like to avoid downloading and reuploading all of the files.
在这些人的帮助和建议下,我尝试了以下方法.我在我的存储桶中创建了一个名为media"的新文件夹.
With some assistance and suggestions from the folks here I have tried the following. I made a new folder in my bucket called "media".
我试过这个命令:
aws s3 cp s3://mybucket/2014/09/17/thumb.jpg s3://mybucket/media --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers full=emailaddress=my_aws_account_email_address
我在调用 HeadObject 操作时收到致命错误 403:禁止.
I receive a fatal error 403 when calling the HeadObject operation: Forbidden.
推荐答案
一个非常有趣的难题!幸运的是,有一个解决方案.
A very interesting conundrum! Fortunately, there is a solution.
首先回顾一下:
- 帐户 A 中的存储桶 A
- 帐户 B 中的存储桶 B
- 账户 A 中的用户将对象复制到存储桶 B(已被授予执行此操作的适当权限)
- Bucket B 中的对象仍然属于账户 A,不能被账户 B 访问
我设法重现了这一点,并且可以确认帐户 B 中的用户无法访问该文件——甚至帐户 B 中的 root 用户都无法访问!
I managed to reproduce this and can confirm that users in Account B cannot access the file -- not even the root user in Account B!
幸运的是,事情可以解决.AWS 命令行界面 (CLI) 中的 aws s3 cp 命令可以在复制到相同名称时更新文件的权限.但是,要触发此操作,您还必须更新其他内容,否则会出现此错误:
Fortunately, things can be fixed. The aws s3 cp command in the AWS Command-Line Interface (CLI) can update permissions on a file when copied to the same name. However, to trigger this, you also have to update something else otherwise you get this error:
此复制请求是非法的,因为它试图将对象复制到自身而不更改对象的元数据、存储类别、网站重定向位置或加密属性.
This copy request is illegal because it is trying to copy an object to itself without changing the object's metadata, storage class, website redirect location or encryption attributes.
因此,可以使用此命令更新权限:
Therefore, the permissions can be updated with this command:
aws s3 cp s3://my-bucket/ s3://my-bucket/ --recursive --acl bucket-owner-full-control --metadata "One=Two"
- 必须由对对象具有访问权限的帐户 A 用户运行(例如,最初将对象复制到存储桶 B 的用户)
- 元数据内容不重要,但需要强制更新
--acl bucket-owner-full-control将向账户 B 授予权限,以便您可以正常使用这些对象- Must be run by an Account A user that has access permissions to the objects (eg the user who originally copied the objects to Bucket B)
- The metadata content is unimportant, but needed to force the update
--acl bucket-owner-full-controlwill grant permission to Account B so you'll be able to use the objects as normal
最终结果:您可以使用的存储桶!
这篇关于Amazon S3 文件权限,从另一个账户复制时拒绝访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
