Reputation: 1309
I am using javascript SDK and a lambda function to copy a file from a source account to the current account where my lambda lives. I'm assuming a role for cross account access to the source account S3 bucket before I call copyObject
api. But I'm getting Access Denied! Here is my cross account role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sourceBucket/*"
]
}
]
}
and here is my lambda permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::destinationbucket/*",
"Effect": "Allow"
},
{
"Action": [
"sts:*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
I think when I assume the cross account role I give up the lambda permissions and then I cannot copy file to the destination. Any help is much appreciated.
Upvotes: 1
Views: 2802
Reputation: 270224
You appear to have:
Bucket-A
) in Account-A
Bucket-B
) in Account-B
Account-B
Role-A
) in Account-A
that the Lambda function can assumeYour requirement is to have the Lambda function copy objects from Bucket-A
to Bucket-B
.
When using the CopyObject
command, the credentials must have:
Bucket-A
Bucket-B
However, while Role-A
does have read permissions on Bucket-A
, it does not have permission to write to Bucket-B
.
Therefore, you have two choices:
Bucket-B
that grants write permissions to Role-A
, orRole-A
, the administrator of Bucket-A
in Account-A
can grant read permissions for Bucket-A
to the IAM Role being used by the Lambda function by creating a Bucket Policy on Bucket-A
. That is, the Lambda function does not assume Role-A
. It just uses its own role to read directly from Bucket-A
.Option 2 is better, because it is involves less moving parts. That is, there is no need to assume a role. I suggest you try this method before using the AssumeRole
method.
If you do wish to continue with using Role-A
, then please note that the CopyObject()
command will need to set the ACL
to bucket-owner-full-control
. If this is not done, the Account-B
will not have permission to access/delete the copied objects. (If you use the second method, then the objects will be copied using Account-B
credentials, so it is not required.)
Bottom line: For your describe scenario involving Role-A
, add a Bucket Policy to Bucket-B
that grants write permissions to Role-A
.
Upvotes: 1