By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Make object that upload by account-b role public in account-a bucket

0

Hi all
I have tried to upload my objects with Account-B role (NOT user) to a public bucket in Account-A, but the objects aren't public. I want to make them public or has the same access as the bucket
Following are my attempts:

  1. Create bucket MyPublicBucket in Account-A, and set its policy:
{
    "Version": "2012-10-17",
    "Id": "Policy1484633382620",
    "Statement": [
        {
            "Sid": "Stmt1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws-cn:s3:::MyPublicBucket/*"
        },
        {
            "Sid": "Stmt2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-cn:iam::AccountB-ID:role/MyPutObjectRole"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws-cn:s3:::MyPublicBucket/*"
        }
    ]
}
  1. I associated the MyPutObjectRole with my ec2 in Account-B and call "aws s3 cp --recursive dist s3://MyPublicBucket/" in this ec2. The objects are uploaded successfully but owned by Account-B which cannot be public access.
  2. Following the doc ( https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#grant-putobject-conditionally-1 ), I added:
"Condition": {
                "StringEquals": {
                    "s3:x-amz-grant-full-control": "id=AccountA-CanonicalUserID"
                }
            }

and call "aws s3 cp --recursive dist s3://MyPublicBucket/ --grants full=id=AccountA-CanonicalUserID"
but it returns "An error occurred (InvalidToken) when calling the PutObject operation: The provided token is malformed or otherwise invalid."
I tried s3api like "aws s3api put-object --bucket MyPublicBucket --key 1.txt --body 1.txt --grant-full-control id=AccountA-CanonicalUserID" but it returns the same InvalidToken error.
I suppose I have to provide "--profile " when using grants but as I am using a role NOT a user, I got no profile

In a word, my question is how to make my Account-B ec2 can upload public object to Account-A public bucket.

asked 5 years ago503 views
2 Answers
1
Accepted Answer

Hello
you could do something like

make all uploaded files public

aws s3 sync . s3://my-bucket/path --acl public-read

the cp command also allows the use of the --acl and it may use other values like public-read-write or bucket-owner-full-control

aws s3 cp s3://mybucket/test.txt s3://mybucket/test2.txt --acl public-read-write

https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html
https://docs.aws.amazon.com/cli/latest/reference/s3/cp.html#examples
hope this helps
RT

answered 5 years ago
profile picture
EXPERT
reviewed 7 months ago
0

Thanks, I found I missed AWS_DEFAULT_REGION=cn-north-1, that made it returns Invalid Token

I solved my problem by:
1 Added AWS_DEFAULT_REGION before run my command
2 Allowed S3:PubObjectAcl to my role:

{
            "Sid": "Stmt2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-cn:iam::AccountB-ID:role/MyPutObjectRole"
            },
            "Action": ["s3:PutObject","s3:PutObjectAcl"],
            "Resource": "arn:aws-cn:s3:::MyPublicBucket/*"
 }

3 use: aws s3 cp xxx.txt s3://myPublicBucket --acl public-read

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions