How can I 'aws s3 sync' two buckets, which are located in different accounts
Solution 1
Basically, you need to create a policy to allow access to the S3 bucket on your side and a role and attach this policy to the role.
Then, a user in Account B needs to assume this role you created which allows access to your bucket.
I believe that this is the article that you are looking for (the more elaborated one): https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
And this is a more specific article: https://aws.amazon.com/premiumsupport/knowledge-center/copy-s3-objects-account/
Solution 2
The credentials used to perform an aws s3 sync
command require:
- Read permissions on the source bucket, AND
- Write permissions on the destination bucket
Since you are assuming a role from the source account (that already has read permissions on the source bucket), you will need to grant permissions for that role to write to the destination bucket in your account.
This can be done via a Bucket policy on the destination bucket, which would look something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::destination-bucket/*",
"arn:aws:s3:::destination-bucket"
],
"Principal": {"AWS":"arn:aws:iam::bbbbbbbbbbbb:role/assumeDevOps"}
}
]
}
Related videos on Youtube
phisshion
Updated on September 18, 2022Comments
-
phisshion over 1 year
I'm trying to use 'aws s3 sync' on the awscli between two accounts.
Account A, I own. Account B, Owned by a third party.
Account B has given a user:jon on account A permission to a bucket through a role:assumeDevOps assumption.
Jon assumes assumeDevOps to access bucket on Account B. But now I have to sync to a bucket back on account A.
I'm getting an access denied. Possibly because that role that Jon assumed has no permissions to the bucket back on my account.
How do I do this?
Is there documentation on this specific situation?
-
phisshion almost 5 yearsBut whoever assumes the role only has access to one of the buckets and not both. At least that is how its currently working.
-
pdoherty926 about 3 yearsIs the implication here that this should work without making any changes to the source account? If so, that's not working for me. I see, "fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied" when trying to sync buckets between accounts when only modifying permissions on the destination side.
-
John Rotenstein about 3 years@pdoherty926 I suggest that you create a new question rather than asking via a comment on an old question. Please include details of your particular setup.