How can we copy s3 files between buckets of different account/credentials using s3 cp and different profiles?

Question

I created two profiles (one for source and one for target bucket) and using below command to copy:

aws s3 cp --profile source_profile s3://source_bucket/file.txt --profile target_profile s3://target_profile/

But it throws below error.

fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

Looks like we can't use multiple profiles with aws commands.

Answer 1

The simplest method is to grant permissions via a bucket policy.

Say you have:

• Account-A with IAM User-A
• Account-B with Bucket-B

Add a bucket policy on Bucket-B:

{
  "Id": "CopyBuckets",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GrantAccessToUser-A",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::bucket-b",
        "arn:aws:s3:::bucket-b/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::<account-a-id>:user/user-a"
        ]
      }
    }
  ]
}

Then just copy the files as User-A.

See also: aws sync between S3 buckets on different AWS accounts

Answer 2

No, you can't use multiple profiles in one AWS CLI command. Possible solutions:

1) Download files to local disk, then upload them to the target bucket with a separate command.

2) Allow first account access to the target bucket. For this, you will have to create a cross-account role in the source account and assign it the appropriate permissions in the target account. That way you will be using one role/one profile, but this role will be granted permissions in the second account. See https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html