CODEWITHSUNDEEP
amazon-s3permissions
D Mac
D Mac

Reputation: 3809

In AWS S3 how do I grant a permission to an account if the file exists already

I have already uploaded about 500 files to an S3 bucket. Now I want to add an account to the permissions for each object (adding a bucket permission doesn't give that account read access to the files themselves).

How do I do it? I don't want to re-upload 500 large video files twice just to get the granted permissions correct.

I tried aws s3 mv s3://mybucket/mybigvideo.mp4 s3://mybucket/ --grants read=id=abcde... but I can't move a file to itself.

Upvotes: 1

Views: 766

Answers (3)

John Rotenstein
John Rotenstein

Reputation: 269826

You can actually copy the file to itself. This is allowed as long as some attribute is changing, such as the Access Control List (ACL).

aws s3 cp s3://bucket/foo.mp4 s3://bucket/foo.mp4 --grants read=id=abcd...

Upvotes: 1

Kannaiyan
Kannaiyan

Reputation: 13035

You can use Assume role,

https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

To Control access to buckets from a different account,

{
  "type": "AssumedRole",
  "principalId": "AROAJI4AVVEXAMPLE:ROLE-SESSION-NAME",
  "arn": "arn:aws:sts::ACCOUNTNUMBER:assumed-role/ROLE-NAME/ROLE-SESSION-NAME",
  "accountId": "ACCOUNTNUMBER",
  "accessKeyId": "ASIAEXAMPLEKEY",
  "sessionContext": {
    "attributes": {
      "mfaAuthenticated": "false",
      "creationDate": "XXXX-XX-XXTXX:XX:XXZ"
    },
    "sessionIssuer": {
      "type": "Role",
      "principalId": "AROAJI4AVV3EXAMPLEID",
      "arn": "arn:aws:iam::ACCOUNTNUMBER:role/ROLE-NAME",
      "accountId": "ACCOUNTNUBMER",
      "userName": "ROLE-SESSION-NAME"
    }
  }
}

Hope it helps.

Upvotes: 0

D Mac
D Mac

Reputation: 3809

Dang, this isn't elegant but it works: create a dummy s3 bucket, move each file into that bucket and when you move it back, include the --grants flag.

So I listed all 500 files into a file and edited the file to look like this:

aws s3 mv s3://myrealbucket/bigvideo-001.mp4 s3://tempbucket/; aws s3 mv s3://tempbucket/bigvideo-001.mp4 s3://myrealbucket/  --grants read=id=abcd...
aws s3 mv s3://myrealbucket/bigvideo-002.mp4 s3://tempbucket/; aws s3 mv s3://tempbucket/bigvideo-002.mp4 s3://myrealbucket/  --grants read=id=abcd...

That'll take an hour or two to complete, but it'll work.

Anybody got a nicer way to do it?

Upvotes: 0

Related Questions