Reputation: 1309
what permission do I need to copy object between two buckets in two different accounts?
I am using javascript SDK and a lambda function to copy a file from a source account to the current account where my lambda lives. I'm assuming a role for cross account access to the source account S3 bucket before I call copyObject api. But I'm getting Access Denied! Here is my cross account role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sourceBucket/*"
]
}
]
}
and here is my lambda permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::destinationbucket/*",
"Effect": "Allow"
},
{
"Action": [
"sts:*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
I think when I assume the cross account role I give up the lambda permissions and then I cannot copy file to the destination. Any help is much appreciated.
Upvotes: 1
Views: 2802
Answers (1)
Reputation: 270224
You appear to have:
- A source bucket (
Bucket-A) inAccount-A - A destination bucket (
Bucket-B) inAccount-B - An AWS Lambda function in
Account-B - An IAM Role (
Role-A) inAccount-Athat the Lambda function can assume
Your requirement is to have the Lambda function copy objects from Bucket-A to Bucket-B.
When using the CopyObject command, the credentials must have:
- Read permissions on
Bucket-A - Write permissions on
Bucket-B
However, while Role-A does have read permissions on Bucket-A, it does not have permission to write to Bucket-B.
Therefore, you have two choices:
- Option 1: Add a Bucket Policy to
Bucket-Bthat grants write permissions toRole-A, or - Option 2: Instead of using
Role-A, the administrator ofBucket-AinAccount-Acan grant read permissions forBucket-Ato the IAM Role being used by the Lambda function by creating a Bucket Policy onBucket-A. That is, the Lambda function does not assumeRole-A. It just uses its own role to read directly fromBucket-A.
Option 2 is better, because it is involves less moving parts. That is, there is no need to assume a role. I suggest you try this method before using the AssumeRole method.
If you do wish to continue with using Role-A, then please note that the CopyObject() command will need to set the ACL to bucket-owner-full-control. If this is not done, the Account-B will not have permission to access/delete the copied objects. (If you use the second method, then the objects will be copied using Account-B credentials, so it is not required.)
Bottom line: For your describe scenario involving Role-A, add a Bucket Policy to Bucket-B that grants write permissions to Role-A.
Upvotes: 1
Related Questions
- "AllAccessDisabled: All access to this object has been disabled" error being thrown when copying between S3 Buckets
- AWS S3 - Copy files owned by one account in a bucket owner by another account
- Lambda that copy object from one bucket to another in different accounts using AWS SDK copyobject method in javascript
- Aws copy data from one S3 bucket to another on same account using lambda python
- AWS S3 permission error when copy objects between buckets
- Copy files from s3 bucket to another AWS account
- How to write lambda function to copy two different s3buckets objects to cross accounts?
- Copy files from an S3 bucket in one AWS account to another AWS account
- How can we copy s3 files between buckets of different account/credentials using s3 cp and different profiles?
- How to use AWS Lambda to backup an S3 object to a bucket on another account?