Reputation: 3288
How to copy the object in s3 from account A to Account B with updated object ownership to object A
My code copies the object from Account A to Account B
import json
import boto3
from datetime import datetime, timedelta
def lambda_handler(event, context):
# TODO implement
SOURCE_BUCKET = 'Bucket-A'
DESTINATION_BUCKET = 'Bucket-B'
s3_client = boto3.client('s3')
# Create a reusable Paginator
paginator = s3_client.get_paginator('list_objects_v2')
# Create a PageIterator from the Paginator
page_iterator = paginator.paginate(Bucket=SOURCE_BUCKET)
# Loop through each object, looking for ones older than a given time period
for page in page_iterator:
if "Contents" in page:
for object in page['Contents']:
if object['LastModified'] < datetime.now().astimezone() - timedelta(minutes=5): # <-- Change time period here
print(f"Moving {object['Key']}")
# Copy object
s3_client.copy_object(
ACL='bucket-owner-full-control',
Bucket=DESTINATION_BUCKET,
Key=object['Key'],
CopySource={'Bucket':SOURCE_BUCKET, 'Key':object['Key']}
)
# Delete original object
s3_client.delete_object(Bucket=SOURCE_BUCKET, Key=object['Key'])
else:
print("No Contents key for page!")
The lambda function role policy is :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject*",
"s3:List*",
"s3:GetObject*",
"s3:GetBucketLocation",
"s3:DeleteObject*"
],
"Resource": [
"arn:aws:s3:::Bucket-A/*",
"arn:aws:s3:::bucket-A"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-B/*"
}
]
}
aws s3api get-object-acl --bucket bucket-b --key key1
{
"Owner": {
"DisplayName": "accountA",
"ID": "MYIDA"
},
"Grants": [
{
"Grantee": {
"DisplayName": "accountA",
"ID": "MyIDA",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee": {
"DisplayName": "accountb",
"ID": "MyIDB",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
How can I change the owner of the object while copying from Account A to account B to Account B
{
"Owner": {
"DisplayName": "accountB",
"ID": "MYIDB"
},
Upvotes: 0
Views: 1552
Answers (1)
Reputation: 1624
I'll try to address your question first and then provide a better approach for the use case.
Firstly, as you have correctly identified, what you are looking for are Object ACL. Boto3 gives you a way to retrieve and update Object ACLs and thus the object owners way to retrieve Object ACLs and thus the object owners as well as update ACL. Read more about this in the official docs here. To read about Object ACLs, you can refer to the docs here.
For reference, here's a sample Request Syntax:
response = object_acl.put(
ACL='private'|'public-read'|'public-read-write'|'authenticated-read'|'aws-exec-read'|'bucket-owner-read'|'bucket-owner-full-control',
AccessControlPolicy={
'Grants': [
{
'Grantee': {
'DisplayName': 'string',
'EmailAddress': 'string',
'ID': 'string',
'Type': 'CanonicalUser'|'AmazonCustomerByEmail'|'Group',
'URI': 'string'
},
'Permission': 'FULL_CONTROL'|'WRITE'|'WRITE_ACP'|'READ'|'READ_ACP'
},
],
'Owner': {
'DisplayName': 'string',
'ID': 'string'
}
},
GrantFullControl='string',
GrantRead='string',
GrantReadACP='string',
GrantWrite='string',
GrantWriteACP='string',
RequestPayer='requester',
VersionId='string'
)
Now coming to a better way to implement this. Have a look at AWS Cross Region Replication. Read more about it in the announcement post here or refer to the docs.
To use the description from the docs:
Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can copy objects between different AWS Regions or within the same Region.
Maintain object copies under different ownership — Regardless of who owns the source object, you can tell Amazon S3 to change replica ownership to the AWS account that owns the destination bucket. This is referred to as the owner override option. You can use this option to restrict access to object replicas.
Essentially you can use LifeCycle Policies and automate the whole process. You can also configure the destination objects to be created with a new Owner. With this you are offloading the management to AWS and also making the process reactive. In the long run, this will help you save costs both in terms of man-power costs and resource usage.
Upvotes: 2
Related Questions
- How to PUT S3 objects from another AWS account into your own account S3 bucket using assume role?
- Copying S3 files from one account to another
- Amazon S3 copyObject permission
- AWS S3 - Copy files owned by one account in a bucket owner by another account
- Put Object to S3 Bucket of another account
- Copy files from s3 bucket to another AWS account
- Copy S3 files to another S3 in a different account as they land
- How change S3 file ownership while cross-account uploading
- copy file from one bucket to another in different account still set the s3 file owner to the source one
- Copy content from one S3 bucket to another S3 bucket with different keys