I'm trying to copy files from a bucket in A account to another bucket but in B account. When I try to sync the files with the command
aws s3 sync s3://BUCKET_A s3://BUCKET_B
It returns the following output:
copy failed: s3://BUCKET_A to s3://BUCKET_B An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied
This is the policy that was attached to user created in in B account (where will be copied files from bucket A):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_A",
"arn:aws:s3::: BUCKET_A/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_B",
"arn:aws:s3:::BUCKET_B/*"
]
}
]
}
Probably I missing some permission? I don't find the permission CopyObject
to add in my user/bucket policy
On your IAM Role Policy side you will need the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_A",
"arn:aws:s3::: BUCKET_A/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_B",
"arn:aws:s3:::BUCKET_B/*"
]
}
]
}
You need to add these permissions to BUCKET_B
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::your_iam_policy"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
],
"Resource": [
"arn:aws:s3:::BUCKET_B"
]
}