Nisman
Nisman

Reputation: 1309

what permission do I need to copy object between two buckets in two different accounts?

I am using javascript SDK and a lambda function to copy a file from a source account to the current account where my lambda lives. I'm assuming a role for cross account access to the source account S3 bucket before I call copyObject api. But I'm getting Access Denied! Here is my cross account role:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::sourceBucket/*"
        ]
    }
]
}

and here is my lambda permissions:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::destinationbucket/*",
        "Effect": "Allow"
    },
    {
        "Action": [
            "sts:*"
        ],
        "Resource": "*",
        "Effect": "Allow"
    }
]
}

I think when I assume the cross account role I give up the lambda permissions and then I cannot copy file to the destination. Any help is much appreciated.

Upvotes: 1

Views: 2802

Answers (1)

John Rotenstein
John Rotenstein

Reputation: 270224

You appear to have:

  • A source bucket (Bucket-A) in Account-A
  • A destination bucket (Bucket-B) in Account-B
  • An AWS Lambda function in Account-B
  • An IAM Role (Role-A) in Account-A that the Lambda function can assume

Your requirement is to have the Lambda function copy objects from Bucket-A to Bucket-B.

When using the CopyObject command, the credentials must have:

  • Read permissions on Bucket-A
  • Write permissions on Bucket-B

However, while Role-A does have read permissions on Bucket-A, it does not have permission to write to Bucket-B.

Therefore, you have two choices:

  • Option 1: Add a Bucket Policy to Bucket-B that grants write permissions to Role-A, or
  • Option 2: Instead of using Role-A, the administrator of Bucket-A in Account-A can grant read permissions for Bucket-A to the IAM Role being used by the Lambda function by creating a Bucket Policy on Bucket-A . That is, the Lambda function does not assume Role-A. It just uses its own role to read directly from Bucket-A.

Option 2 is better, because it is involves less moving parts. That is, there is no need to assume a role. I suggest you try this method before using the AssumeRole method.

If you do wish to continue with using Role-A, then please note that the CopyObject() command will need to set the ACL to bucket-owner-full-control. If this is not done, the Account-B will not have permission to access/delete the copied objects. (If you use the second method, then the objects will be copied using Account-B credentials, so it is not required.)

Bottom line: For your describe scenario involving Role-A, add a Bucket Policy to Bucket-B that grants write permissions to Role-A.

Upvotes: 1

Related Questions