By using AWS re:Post, you agree to the Terms of Use

S3 permissions STS assume role bucket to bucket copy

0

Customer has verified that STS assume role is working and can copy a local file to an s3 bucket.

The issue they are having is with bucket to bucket copies. What IAM policy statement do they need to have for that. They are allowing put and list object do they also need some other s3 permission for the copy to work?

They have verified that they can perform a normal put from local and that worked but a bucket directly to another bucket copy is not working.

Would it require a bucket policy? Could it be since they are assuming a role, that the role then does not have access to assume the role on their side to get the files from the source?

asked 5 years ago126 views
1 Answer
0
Accepted Answer

They need GetObject, ListBucket on the source bucket. Also they need PutObject on the destination bucket.

Permissions do not matter WHERE the command is executed. It matters what they are executed against.

You can do this with a bucket policy, or in a role. A bucket policy would have to identify the Principals and is IMO a little more cumbersome.

Here is an example using a role: Put it in a policy attached to a role, and attach the role to an EC2 instance or to an EC2 user.

Here's the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SourceBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-a",
                "arn:aws:s3:::bucket-a/*"
            ]
        },
        {
            "Sid": "DestBucket",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-b",
                "arn:aws:s3:::bucket-b/*"
            ]
        }
    ]
}
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions