[英]AWS S3 Server side encryption Access denied error
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PermissionsToAAccount", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::XXXXXXX:root" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::DestinationS3Bucket", "arn:aws:s3:::DestinationS3Bucket/*" ] } ] }
When you copy files from one S3 bucket in account A using credentials of account A to a bucket in account B, the owner of the files in the destination bucket will be account A. (Account A is the principal that created the files in account B's bucket). 当您使用帐户A的凭据将帐户A中的一个S3存储桶中的文件复制到帐户B中的存储桶时,目标存储桶中文件的所有者将是帐户A.(帐户A是在帐户B中创建文件的主体桶)。
During the file copy from source to destination bucket, add the --acl bucket-owner-full-control
option so that account B can control the files. 在从源到目标存储区的文件复制期间,添加
--acl bucket-owner-full-control
选项,以便帐户B可以控制文件。 Otherwise you might have files in account B's bucket that account B cannot access or control. 否则,您可能在帐户B的存储桶中有文件B无法访问或控制的文件。
Another option is to use the credentials of account B to copy from the source to the destination bucket. 另一种选择是使用帐户B的凭据从源复制到目标存储桶。 This way the owner of the copied files is account B.
这样,复制文件的所有者是帐户B.
Solution provided by John Hanely works, but that does not immediately change the ownership. John Hanely提供的解决方案有效,但不会立即改变所有权。 You would need to execute a separate command to change it
您需要执行单独的命令来更改它
First Step: 第一步:
aws s3 cp s3://yourbucket s3://yourbucket --recursive --acl bucket-owner-full-control
Second Step: 第二步:
aws s3 cp s3://yourbucket s3://yourbucket --recursive --metadata-directive REPLACE
Notice --meta-directive REPLACE
注意
--meta-directive REPLACE
您应该以这种方式一起替换文件和元数据 -
aws s3 cp s3://yourbucket s3://yourbucket --recursive --acl bucket-owner-full-control --metadata-directive REPLACE
You don't need to cp it.你不需要cp它。
Assumptions: You have access to the offending account and that account has putobjectacl policy permissions.假设:您有权访问违规帐户并且该帐户具有 putobjectacl 策略权限。
Tells you who put the file and who has access:告诉您谁放了文件以及谁有权访问:
$ aws s3api get-object-acl --bucket yourbucket --key path/to/file
{
"Owner": {
"DisplayName": "the-account-putting-the-thing",
"ID": "offendingaccountrandomidstringthatisntrelaventhere"
},
"Grants": [
{
"Grantee": {
"DisplayName": "the-account-putting-the-thing",
"ID": "offendingaccountrandomidstringthatisntrelaventhere",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
To fix this so the destination owner now controls the file:要解决此问题,以便目标所有者现在控制文件:
$ aws s3api put-object-acl --bucket yourbucket --key path/to/file --acl bucket-owner-full-control
$ aws s3api get-object-acl --bucket yourbucket --key path/to/file
{
"Owner": {
"DisplayName": "the-account-putting-the-thing",
"ID": "offendingaccountrandomidstringthatisntrelaventhere"
},
"Grants": [
{
"Grantee": {
"DisplayName": "the-account-putting-the-thing",
"ID": "offendingaccountrandomidstringthatisntrelaventhere",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee": {
"DisplayName": "the-account-recieving-the-thing",
"ID": "destinationaccountrandomidstringthatisntrelaventhere",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
I didn't have any issues manipulating the file after changing the acl vi s3api from the destination / owner account role.从目标/所有者帐户角色更改 acl vi s3api 后,我在操作文件时没有遇到任何问题。
Special thanks to the previous answerees.特别感谢前面的回答者。 Without you, I wouldn't have been able to fix my mistake.
没有你,我不可能改正我的错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.