Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Make object that upload by account-b role public in account-a bucket

0

Hi all
I have tried to upload my objects with Account-B role (NOT user) to a public bucket in Account-A, but the objects aren't public. I want to make them public or has the same access as the bucket
Following are my attempts:

  1. Create bucket MyPublicBucket in Account-A, and set its policy:
{
    "Version": "2012-10-17",
    "Id": "Policy1484633382620",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws-cn:s3:::MyPublicBucket/*"
        },
        {
            "Sid": "Stmt2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-cn:iam::AccountB-ID:role/MyPutObjectRole"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws-cn:s3:::MyPublicBucket/*"
        }
    ]
}
  1. I associated the MyPutObjectRole with my ec2 in Account-B and call "aws s3 cp --recursive dist s3://MyPublicBucket/" in this ec2. The objects are uploaded successfully but owned by Account-B which cannot be public access.
  2. Following the doc ( https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#grant-putobject-conditionally-1 ), I added:
"Condition": {
                "StringEquals": {
                    "s3:x-amz-grant-full-control": "id=AccountA-CanonicalUserID"
                }
            }

and call "aws s3 cp --recursive dist s3://MyPublicBucket/ --grants full=id=AccountA-CanonicalUserID"
but it returns "An error occurred (InvalidToken) when calling the PutObject operation: The provided token is malformed or otherwise invalid."
I tried s3api like "aws s3api put-object --bucket MyPublicBucket --key 1.txt --body 1.txt --grant-full-control id=AccountA-CanonicalUserID" but it returns the same InvalidToken error.
I suppose I have to provide "--profile " when using grants but as I am using a role NOT a user, I got no profile

In a word, my question is how to make my Account-B ec2 can upload public object to Account-A public bucket.

Themen
Speicher
Tags
Amazon Simple Storage Service
Sprache
English
dxs
gefragt vor 5 Jahren391 Aufrufe
2 Antworten
0
Akzeptierte Antwort

Hello
you could do something like

make all uploaded files public

aws s3 sync . s3://my-bucket/path --acl public-read

the cp command also allows the use of the --acl and it may use other values like public-read-write or bucket-owner-full-control

aws s3 cp s3://mybucket/test.txt s3://mybucket/test2.txt --acl public-read-write

https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html
https://docs.aws.amazon.com/cli/latest/reference/s3/cp.html#examples
hope this helps
RT

rtt
beantwortet vor 5 Jahren
0

Thanks, I found I missed AWS_DEFAULT_REGION=cn-north-1, that made it returns Invalid Token

I solved my problem by:
1 Added AWS_DEFAULT_REGION before run my command
2 Allowed S3:PubObjectAcl to my role:

{
            "Sid": "Stmt2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-cn:iam::AccountB-ID:role/MyPutObjectRole"
            },
            "Action": ["s3:PutObject","s3:PutObjectAcl"],
            "Resource": "arn:aws-cn:s3:::MyPublicBucket/*"
 }

3 use: aws s3 cp xxx.txt s3://myPublicBucket --acl public-read

dxs
beantwortet vor 5 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt