How to fix AccessDenied calling CopyObject

amazon-web-services amazon-s3 terraform aws-cli bucket
Carlos Andres picture Carlos Andres · Feb 25, 2019 · Viewed 25k times · Source

I'm trying to copy files from a bucket in A account to another bucket but in B account. When I try to sync the files with the command

aws s3 sync s3://BUCKET_A s3://BUCKET_B

It returns the following output:

copy failed: s3://BUCKET_A to s3://BUCKET_B An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied

This is the policy that was attached to user created in in B account (where will be copied files from bucket A):

{
    "Version": "2012-10-17",
    "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket",
              "s3:GetObject",
              "s3:PutObject",
              "s3:PutObjectAcl"
          ],
          "Resource": [
              "arn:aws:s3:::BUCKET_A",
              "arn:aws:s3::: BUCKET_A/*"
          ]
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket",
              "s3:GetObject",
              "s3:PutObject",
              "s3:PutObjectAcl"
          ],
          "Resource": [
              "arn:aws:s3:::BUCKET_B",
              "arn:aws:s3:::BUCKET_B/*"
          ]
      }
    ]
}

Probably I missing some permission? I don't find the permission CopyObject to add in my user/bucket policy

Answer

user8128927 picture user8128927 · Feb 25, 2019

On your IAM Role Policy side you will need the following:

  {
    "Version": "2012-10-17",
    "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket",
              "s3:GetObject",
              "s3:PutObject",
              "s3:PutObjectAcl"
          ],
          "Resource": [
              "arn:aws:s3:::BUCKET_A",
              "arn:aws:s3::: BUCKET_A/*"
          ]
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket",
              "s3:GetObject",
              "s3:PutObject",
              "s3:PutObjectAcl"
          ],
          "Resource": [
              "arn:aws:s3:::BUCKET_B",
              "arn:aws:s3:::BUCKET_B/*"
          ]
      }
    ]
}

You need to add these permissions to BUCKET_B

{
         "Sid": "Example permissions",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::your_iam_policy"
         },
         "Action": [
              "s3:ListBucket",
              "s3:GetObject",
              "s3:PutObject",
              "s3:PutObjectAcl"
          ],
         ],
         "Resource": [
            "arn:aws:s3:::BUCKET_B"
         ]
      }

Related questions

Terraform aws: Error No configuration files found

I am new to Terraform. I am writing a small script to put a small datafile from my machine to aws S3 bucket.. but I am getting below error. Terraform file code:- provider "aws" { region = "us-east-1" version = "~> 1.6" } terraform { …

Read More
How to create a folder in an amazon S3 bucket using terraform

I was able to create a bucket in an amazon S3 using this link. I used the following code to create a bucket : resource "aws_s3_bucket" "b" { bucket = "my_tf_test_bucket" acl = "private" } Now I wanted to create …

Read More
Terraform - Upload file to S3 on every apply

I need to upload a folder to S3 Bucket. But when I apply for the first time. It just uploads. But I have two problems here: uploaded version outputs as null. I would expect some version_id like 1, 2, 3 When running …

Read More