[AWS] 跨帳號S3鏡像對傳教學 – cross account S3 sync to S3 tips

NickAWS

Tips:

1. 開啟各別兩個帳號的S3 Bucket,皆賦予主帳號IAM權限

# Sample aws Bucket Policy json code
{
	"Version": "2012-10-17",
	"Id": "Policy1476346256284",
	"Statement": [
		{
			"Sid": "Stmt1476346255842",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::023227051571:user/nick"
			},
			"Action": "s3:*",
			"Resource": [
				"arn:aws:s3:::account-a",
				"arn:aws:s3:::account-a/*"
			]
		}
	]
}

其中各別S3 Bucket範例分別為:account-a & account-b,權限設定相同。

2. 重點來了,IAM本身要帶有AmazonS3FullAccess Policy...。

3. 執行S3跨帳號對傳API

# s3cmd sync sample command:
s3cmd sync s3://account-a s3://account-b

AmazonS3FullAccess:

針對IAM本身Policy,自有帳號內的S3 Buckets不須自帶IAM Policy就能生效Bucket Policy權限,

但非Bucket Owner ARN設定於Bucket Policy的權限似乎無法生效,得自帶IAM本身的S3 Policy。目前測得跨帳號上傳至少需有PutObject方法權限,但Sync所需尚未測得,總之非Bucket Owner的IAM開AmazonS3FullAccess最為保險。

Object Owner問題:

Bucket為Account-A,Object為Account-B所上傳,那這個Object的Owner為Account-B,即會發生Account-A無法完整擁有該Object權限。

1. 由Bucket Owner上傳

基本解,Bucket為誰所有,帳號就設該IAM:

# s3cmd sync sample command:
s3cmd sync s3://account-b s3://account-a //IAM設Account-A user,對傳後Owner即為自己

2. 非Bucket Owner上傳

如果Bucket Owner自己不釋出IAM供對傳執行,那就會有Object owner不同於Bucket owner的問題。

如此上傳或對傳時就得帶入ACL賦予Bucket Owner權限,也就是所謂的bucket-owner-full-control。

然而s3cmd似乎對ACL權限沒啥搞頭,目前找不到bucket-owner權限參數,以下提供AWS CLI S3範例:

# AWS CLI - Using account B credential
aws s3 cp test.txt s3://account-a --acl bucket-owner-full-control
aws s3 sync s3://account-b s3://account-a --acl bucket-owner-full-control

Leave a Reply

Your email address will not be published. Required fields are marked *