Reputation: 31
Permission issue when creating AWS datasync task
I am trying to use AWS datasync service to copy files from one bucket in one account to another bucket in another account. Also the buckets are in a different region. I get this error message when I create the Datasync task:
Failed to create task
Request ID
23f8844d-7867-4b72-a02c-be52b0f2fz31
Action
datasync:CreateTask
Status code
400
API response
DataSync location access test failed: could not perform s3:HeadBucket on bucket <bucket_name>. Access denied. Ensure bucket access role has s3:ListBucket permission.
I am using the steps from here: https://github.com/awsdocs/aws-datasync-user-guide/blob/main/doc_source/tutorial_s3-s3-cross-account-transfer.md#step-5-create-and-start-a-datasync-task where Account A is the sender account and Account B is the destination bucket account and I have completed all of the tasks before Step 5. I have this ListBucket permission in my destination bucket policy for both "arn:aws:iam::account-a-id:role/name-of-role" and "arn:aws:iam::account-a-id:user/name-of-user". I am logged in as "arn:aws:iam::account-a-id:user/name-of-user" when I create the datasync task. Let me know if I am doing something wrong here.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "DataSyncCreateS3LocationAndTaskAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-a-id:role/name-of-role"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::account-b-bucket",
"arn:aws:s3:::account-b-bucket/*"
]
},
{
"Sid": "DataSyncCreateS3Location",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-a-id:user/name-of-user"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::account-b-bucket"
}
]
}
Upvotes: 1
Views: 1780
Answers (1)
Reputation: 1
I found the solution to your problem. The tutorial is misleading in multiple places. So you need to create a task using the same role you have put in bucket policy in account B. What I did - I used AWS CLI to create both the B bucket location in DataSync and the task. I've started the task from the web console and it worked ok.
Quick solution use AWS CLI with assumed role to create task. You can't assume this role in web console.
Upvotes: 0
Related Questions
- The role defined for the function cannot be assumed by Lambda
- Which permissions for a cross-accounts transfert across two s3 with aws-datasync
- AWS Datasync S3 -> S3 cross account, confused about destination role/account
- AWS S3 Server side encryption Access denied error
- Amazon S3 buckets inside master account not getting listed in member accounts
- Error executing "PutObject" on "https://s3.ap-south-1.amazonaws.com/buckn/uploads/5th.jpg"; AWS HTTP error: Client error: `PUT
- Overwrite the permissions of the S3 object files not owned by the bucket owner