AWS S3 upload to a bucket in a different account and give ownership to that account?

Question

I have given source (and destination) account s3:* permissions to the bucket and bucket/*

I can upload a file to the destination account's bucket. But it arrives with no permissions, the destination account owner cannot read it.

Also, the source account cannot delete it. (the destination account can delete it, but not read it)

[root@ip-10-66-2-209 ~]# aws s3 cp nohup.out s3://ji-rhel
upload: ./nohup.out to s3://ji-rhel/nohup.out                
[root@ip-10-66-2-209 ~]# aws s3 rm s3://ji-rhel/nohup.out
delete failed: s3://ji-rhel/nohup.out An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied

So I tried to add various acl statements :

[root@ip-10-66-2-209 ~]# aws s3 cp nohup.out s3://ji-rhel --acl public-read-write
upload failed: ./nohup.out to s3://ji-rhel/nohup.out An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied

Same multipart error with "--acl bucket-owner-full-control". If I upload a smaller file then I get the same error on PutObject.

I gave an extra "s3:ObjectOwnerOverrideToBucketOwner" permission on bucket/* to the source account.

I tried uploading the file and then changing permissions from the console in the destination account.

Access denied  (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: C703B5....

Anyone any ideas on how to do cross account uploads and the files to be readable by someone/anyone?

Answer 1

When copying objects to a bucket owned by a different account, use: --acl bucket-owner-full-control

This will ensure that the receiving bucket 'owns' the objects.

Answer 2

Duh. I just figured it was the instance role not allowing full S3 access NOT the bucket policy.