通过复制规则进行跨账户 S3 存储桶复制

时间:2021-05-11 15:32:09

标签: amazon-web-services amazon-s3

我有两个桶:

  • “source-bucket”(在 AWS 账户 88888888 中)。
  • “destination-bucket”(在 AWS 账户 99999999 中)

两个存储桶都启用了版本控制并且位于同一区域 (eu-west-1)。

在源存储桶中,我使用以下设置创建了一个复制规则:

enter image description here

enter image description here

我选择了自动角色创建,它使用以下策略创建了一个角色:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectRetention",
                "s3:GetObjectLegalHold"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket",
                "arn:aws:s3:::source-bucket/*",
                "arn:aws:s3:::destination-bucket",
                "arn:aws:s3:::destination-bucket/*"
            ]
        },
        {
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ReplicateTags",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::source-bucket/*",
                "arn:aws:s3:::destination-bucket/*"
            ]
        }
    ]
}

根据此处找到的文档https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html ,我在“destination-bucket”中添加了一个bucket策略,如下所示:

{
    "Version": "2012-10-17",
    "Id": "",
    "Statement": [
        {
            "Sid": "Set permissions for objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::88888888:role/service-role/auto-created-role"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete"
            ],
            "Resource": "arn:aws:s3:::destination-bucket/*"
        },
        {
            "Sid": "Set permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::88888888:role/service-role/auto-created-role"
            },
            "Action": [
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::destination-bucket"
        }
    ]
}

但是,当我将文件添加到源存储桶时,似乎没有任何反应。 有谁知道这里可能出了什么问题?

2 个答案:

答案 0 :(得分:0)

检查这是否有帮助。

<块引用>

默认情况下,Amazon S3 不会复制使用服务器端加密和 AWS Key Management Service (AWS KMS) 客户主密钥 (CMK) 存储的静态对象。要复制加密对象,您可以修改存储桶复制配置以告诉 Amazon S3 复制这些对象。

https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-4.html

答案 1 :(得分:0)

AWS 文档在这里并不是最好的。从您的图片中,我看到您已启用设置“将对象所有权更改为目标存储桶所有者”(大多数人都会这样做)。 但是,这需要在目的地方面获得额外的许可,赋予他们所有权。 s3:ObjectOwnerOverrideToBucketOwner

以下政策应该适合您

{
    "Version": "2012-10-17",
    "Id": "",
    "Statement": [
        {
            "Sid": "Set permissions for objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::88888888:role/service-role/auto-created-role"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Resource": "arn:aws:s3:::destination-bucket/*"
        },
        {
            "Sid": "Set permissions on bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::88888888:role/service-role/auto-created-role"
            },
            "Action": [
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::destination-bucket"
        }
    ]
}

为了调试这个问题,我使用 aws s3api head-object --bucket <bucket> --key <prefix> --query ReplicationStatus 来查看复制失败,然后我在目标端添加了 s3:* 权限以查看是否是权限问题。在这种情况下是。

相关问题
最新问题