Access Denied when syncing between s3 buckets on different AWS accounts
I'm trying to setup sync between two buckets on different AWS accounts.
I got cp working with:
@ubuntu:~$ s3cmd cp -v s3://src/dir/ s3://dest/folder --recursive
I am the user who owns /src/dir and I've added:
{
"Version": "2012-10-17",
"Id": "Policy1477299702471",
"Statement": [
{
"Sid": "Stmt1477299696163",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::awsid:user/name"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*"
}
]}
To the bucket permissions policy on the test bucket.
Now I'm after aws sync to work, as using s3 cp is not recommended for using with cron.
I tried
user@ubuntu:~$ aws s3 sync --dryrun s3://src/ s3://dest/ --region eu-central-1
but I get access denied:
fatal error: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
How can I get access denied if this is the user who owns the bucket, and get sync running?
The cause of your ListObjects error is that you assigned permission to access the contents of your bucket (arn:aws:s3:::bucket/*) but you did not give permissions to the bucket itself (arn:aws:s3:::bucket). The ListObjects command requires access to the bucket.
To test this, I did the following:
- Used two AWS accounts: Account A, Account B
- Created
bucket-ain Account A - Created
bucket-bin Account B - Created an IAM User
user-ain Account A with permissions to accessbucket-a -
Added a Bucket Policy to
bucket-b:{ "Id": "CopyBuckets", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket-b", "arn:aws:s3:::bucket-b/*" ], "Principal": { "AWS": [ "arn:aws:iam::<account-a-id>:user/user-a" ] } } ] }
I then triggered the sync by using user-a in Account A:
aws s3 sync s3://bucket-a s3://bucket-b --profile user-a
It worked successfully.