AWS S3 服务器端加密访问被拒绝错误
[英]AWS S3 Server side encryption Access denied error
问题描述
- I have A and B AWS accounts and I am syncing S3 bucket from A account SoruceS3Bucket to B account DestinationS3Bucket.
我有 A 和 B AWS 账户,我正在将 S3 存储桶从 A 账户 SoruceS3Bucket 同步到 B 账户 DestinationS3Bucket。 - Following is the bucket policy which is applied on Destination bucket and it is allowing Source AWS account to sync the content with DestinationS3Bucket.以下是应用于目标存储桶的存储桶策略,它允许源 AWS 账户将内容与 DestinationS3Bucket 同步。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionsToAAccount",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXX:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::DestinationS3Bucket",
"arn:aws:s3:::DestinationS3Bucket/*"
]
}
]
}
- Here the sync was working perfectly since long time and it is still working but from last few days at the DestinationS3Bucket files are not accessible with the Server side encryption Access denied error.在这里,同步运行很长时间以来一直运行良好,并且仍在运行,但从最近几天开始,DestinationS3Bucket 文件无法通过服务器端加密访问被拒绝错误访问。
- I have verified there no encryption(Default encryption, none) on SourceS3Bucket and DestinationS3Bucket and I am using Source AWS account secret and access key to sync the content.我已验证 SourceS3Bucket 和 DestinationS3Bucket 上没有加密(默认加密,无),我正在使用 Source AWS 帐户密码和访问密钥来同步内容。 Thanks in advance.提前致谢。
4 个解决方案
解决方案1
15 已采纳 2017-12-05 18:29:08
When you copy files from one S3 bucket in account A using credentials of account A to a bucket in account B, the owner of the files in the destination bucket will be account A. (Account A is the principal that created the files in account B's bucket). 当您使用帐户A的凭据将帐户A中的一个S3存储桶中的文件复制到帐户B中的存储桶时,目标存储桶中文件的所有者将是帐户A.(帐户A是在帐户B中创建文件的主体桶)。
During the file copy from source to destination bucket, add the --acl bucket-owner-full-control option so that account B can control the files. 在从源到目标存储区的文件复制期间,添加--acl bucket-owner-full-control选项,以便帐户B可以控制文件。 Otherwise you might have files in account B's bucket that account B cannot access or control. 否则,您可能在帐户B的存储桶中有文件B无法访问或控制的文件。
Another option is to use the credentials of account B to copy from the source to the destination bucket. 另一种选择是使用帐户B的凭据从源复制到目标存储桶。 This way the owner of the copied files is account B. 这样,复制文件的所有者是帐户B.
解决方案2
1 2018-06-13 10:04:38
Solution provided by John Hanely works, but that does not immediately change the ownership. John Hanely提供的解决方案有效,但不会立即改变所有权。 You would need to execute a separate command to change it 您需要执行单独的命令来更改它
First Step: 第一步:
aws s3 cp s3://yourbucket s3://yourbucket --recursive --acl bucket-owner-full-control
Second Step: 第二步:
aws s3 cp s3://yourbucket s3://yourbucket --recursive --metadata-directive REPLACE
Notice --meta-directive REPLACE 注意--meta-directive REPLACE
解决方案3
1 2019-08-01 03:27:15
您应该以这种方式一起替换文件和元数据 -
aws s3 cp s3://yourbucket s3://yourbucket --recursive --acl bucket-owner-full-control --metadata-directive REPLACE
解决方案4
0 2022-05-06 21:07:22
You don't need to cp it.你不需要cp它。
Assumptions: You have access to the offending account and that account has putobjectacl policy permissions.假设:您有权访问违规帐户并且该帐户具有 putobjectacl 策略权限。
Tells you who put the file and who has access:告诉您谁放了文件以及谁有权访问:
$ aws s3api get-object-acl --bucket yourbucket --key path/to/file
{
"Owner": {
"DisplayName": "the-account-putting-the-thing",
"ID": "offendingaccountrandomidstringthatisntrelaventhere"
},
"Grants": [
{
"Grantee": {
"DisplayName": "the-account-putting-the-thing",
"ID": "offendingaccountrandomidstringthatisntrelaventhere",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
To fix this so the destination owner now controls the file:要解决此问题,以便目标所有者现在控制文件:
$ aws s3api put-object-acl --bucket yourbucket --key path/to/file --acl bucket-owner-full-control
$ aws s3api get-object-acl --bucket yourbucket --key path/to/file
{
"Owner": {
"DisplayName": "the-account-putting-the-thing",
"ID": "offendingaccountrandomidstringthatisntrelaventhere"
},
"Grants": [
{
"Grantee": {
"DisplayName": "the-account-putting-the-thing",
"ID": "offendingaccountrandomidstringthatisntrelaventhere",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee": {
"DisplayName": "the-account-recieving-the-thing",
"ID": "destinationaccountrandomidstringthatisntrelaventhere",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
I didn't have any issues manipulating the file after changing the acl vi s3api from the destination / owner account role.从目标/所有者帐户角色更改 acl vi s3api 后,我在操作文件时没有遇到任何问题。
Special thanks to the previous answerees.特别感谢前面的回答者。 Without you, I wouldn't have been able to fix my mistake.没有你,我不可能改正我的错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.