Car*_*res 15 amazon-s3 bucket amazon-web-services aws-cli terraform
我正在尝试将文件从 A 帐户中的存储桶复制到 B 帐户中的另一个存储桶。当我尝试使用命令同步文件时
aws s3 sync s3://BUCKET_A s3://BUCKET_B
它返回以下输出:
copy failed: s3://BUCKET_A to s3://BUCKET_B An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied
这是附加到在 B 帐户中创建的用户的策略(将从存储桶 A 中复制文件):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_A",
"arn:aws:s3::: BUCKET_A/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_B",
"arn:aws:s3:::BUCKET_B/*"
]
}
]
}
也许我缺少一些许可?CopyObject我在我的用户/存储桶策略中找不到添加权限
小智 13
在 IAM 角色策略方面,您将需要以下内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_A",
"arn:aws:s3::: BUCKET_A/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_B",
"arn:aws:s3:::BUCKET_B/*"
]
}
]
}
您需要将这些权限添加到BUCKET_B
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::your_iam_policy"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
],
"Resource": [
"arn:aws:s3:::BUCKET_B"
]
}
就我而言,我对某些对象没有任何问题,但是其中一个对象具有问题中所述的相同 CopyObject 错误。我还在跨账户存储桶之间使用同步命令。
因此,我查看了 AWS CloudTrail 中的事件历史记录(因为我设置了 cloudtrail)——这有助于查看正在调用哪些 API 调用。但是,我没有启用 S3 存储桶和对象的事件日志记录,因此我尝试了一些更改,从 put* 开始,效果很好。然后我很快就缩小到我需要的范围。
最终,我可以将此权限添加到我的存储桶策略中:s3:PutObjectTagging。
希望这也能帮助你!
| 归档时间: |
|
| 查看次数: |
79586 次 |
| 最近记录: |