将S3存储桶内容从一个帐户转移到不同地区的其他帐户

时间:2017-05-17 13:39:39

标签: amazon-web-services amazon-s3

我正在尝试使用AWS CLI从

传输S3存储桶内容 
AWS account A -> Tokyo region (ap-northeast-1) -> S3 bucket -> account1bucket


AWS account B -> N.Virginia region (us-east-1) -> S3 bucket -> account2bucket

通过创建确切的存储桶策略,IAM策略并执行以下命令,执行https://aws.amazon.com/premiumsupport/knowledge-center/account-transfer-s3/中的步骤:

aws s3 sync s3://account1bucket s3://account2bucket

这给了我以下错误:

I have tried using the tools like S3对象资源管理器,使用访问ID /密钥的存储分析工具,能够成功连接到AWS account A但不能AWS account B。我可以看到唯一的区别是AWS account B启用了MFA。从技术上讲,这不应该是一个问题,因为我能够使用访问ID /密钥将内容发布到Jenkins的AWS account B S3存储桶成功。

以下是我在源存储桶级别和目标用户acconut级别定义的策略:

AWS账户S3存储桶策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "delegates3access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AWSAccountB:user/user@user.com"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::account1bucket/*",
                "arn:aws:s3:::account1bucket"
            ]
        }
    ]
}

AWS账户B用户政策:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::account1bucket",
            "arn:aws:s3:::account1bucket/*",
            "arn:aws:s3:::account2bucket",
            "arn:aws:s3:::account2bucket/*"
        ]
    }
}

2 个答案:

答案 0 :(得分:1)

您可能希望阅读这篇关于 S3 跨区域复制的优秀博文https://aws.amazon.com/blogs/aws/new-cross-region-replication-for-amazon-s3/

答案 1 :(得分:0)

使用AWS源帐户凭据而不是使用AWS目标帐户凭据,它使用以下命令:

aws s3 sync s3://account1bucket s3://account2bucket --source-region ap-northeast-1
相关问题
最新问题