AWS S3 copy across multiple accounts using aws lambda and trigger internal lambda to copy to other buckets
Question
I have 2 AWS accounts app-dev and app-prod both have some buckets the structure is as follows
The flow is as follows:
app-prod(Account)-->bucket-prod-->copier-lambda-->app-dev(account)-->bucket-dev-->copier-lambda-->[bucket-dev1, bucket-dev2]
The copier lambda in the app-dev account works fine if I copy the file to bucket-dev from the same account manually using AWS console. But, when the copier lambda from account app-prod copies the file to bucket-dev(app-dev) the copier lambda from account app-dev gets triggered but fails with "Access Denied" error and the IAM role for lambda is same in both the cases (file copied manually which triggers copier lambda in same account and file copied by a lambda from a different account) so I am confused here.
I'm pretty sure i'm missing something very small here. Any help would be appreciated.
1 answers
solution1
2 ACCPTED 2019-10-23 12:14:59
Please note that if one account puts an object into a bucket owned by another account, the object is still owned by the originator. The originator has to add an ACL to the object granting the bucket owner access to the object.
See here for more details.
By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. To get access to the object, the object owner must explicitly grant you (the bucket owner) access.
The object owner can grant the bucket owner full control of the object by updating the access control list (ACL) of the object. The object owner can update the ACL either during a put or copy operation, or after the object is added to the bucket.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.