如何将AWS S3中的对象从私有存储桶复制到公共存储桶而不进行下载?
[英]How to copy object in aws s3 from private bucket to public bucket without downloading?
问题描述
Copying object across buckets in s3 in the same region is easier with this Request: 
使用此请求,可以更轻松地在s3中的同一区域中跨存储桶复制对象:
AmazonS3 pS3client = new AmazonS3Client(new BasicAWSCredentials(/*supressed*/));
String key = "key";
pS3client.copyObject("sourceBucket", key, "destinationBucket", key);
But when sourceBucket is private access buckets and needs pre-signed urls to access the objects in the bucket the above request fails. 但是,当sourceBucket是私有访问存储桶,并且需要预签名的url来访问存储桶中的对象时,上述请求将失败。
Access denied for the file due to private access. 由于私有访问,文件访问被拒绝。
com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: <>), S3 Extended Request ID: <> at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1579) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1249) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1030) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:742) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:716) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667) at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
How to make s3 request or give pre signed parameters in the copyObject request to copy from private bucket to public destinationBucket ? 如何发出s3请求或在copyObject请求中提供预先签名的参数以从私有存储桶复制到公共destinationBucket ?
For workaround obvious solution would be to use GeneratePresignedUrlRequest and get the pre-signed url to access the sourceBucket's object, download in temp file and the use putObject to upload in the destination bucket. 对于变通办法,显而易见的解决方案是使用GeneratePresignedUrlRequest并获取预签名的url以访问sourceBucket的对象,下载到临时文件中,并使用putObject在目标存储桶中上载。 That is too much network - so was wondering what is the better alternative if any? 那是太多的网络-所以想知道有什么更好的选择吗?
1 个解决方案
解决方案1
3 已采纳 2017-12-20 14:04:15
The s3:CopyObject command cannot use pre-signed URLs. s3:CopyObject命令不能使用预签名的URL。
In order to use the s3:CopyObject command, the AWS credentials being used simply requires read access to the source bucket, and write access to the target bucket. 为了使用s3:CopyObject命令,所使用的AWS凭证仅要求对源存储桶具有读访问权限,而对目标存储桶具有写访问权限。
If the two buckets are in the same AWS account, then this should be straight forward. 如果两个存储桶都在同一个AWS账户中,那么这应该很简单。
However, if the buckets are in different accounts, then you'll need to apply a bucket policy on the source bucket that grants read access to the target-bucket-owning AWS account, and use the target-bucket-owning AWS account to perform the copy. 但是,如果存储桶位于不同的帐户中,则您需要在源存储桶上应用存储桶策略,以授予对拥有目标存储桶的AWS账户的读取访问权限,并使用拥有目标存储桶的AWS账户执行副本。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
Replace BUCKET_NAME with the name of your source S3 bucket, and 123456789012 with the AWS account ID of the target AWS account. 将BUCKET_NAME替换为源 S3存储桶的名称,并将123456789012替换为目标 AWS账户的AWS账户ID。 After editing, apply this policy on your source S3 bucket. 编辑后,将此策略应用于您的源 S3存储桶。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.