I am trying to move a file from one S3 Bucket to another S3 Bucket situated in two different AWS accounts using AWS Assume role and STS (Security Token Service) access. I am using below code to move the file b/w the buckets
const sourceCredentials = new aws.Credentials({
accessKeyId: <accessKeyId>,
secretAccessKey: <secretAccessKey>,
});
const sourceS3 = new aws.S3({
credentials: sourceCredentials
});
const sts = new aws.STS() // Initializing the AWS STS (Security Token Servce)
// Assume IAM role in the source account
const sourceRoleParams = {
RoleArn: <roleARN>,
RoleSessionName: 'AssumeRoleSession'
}
const assumedRole = await sts.assumeRole(sourceRoleParams).promise() // Assuming the Role to have the permission to copy the file to Destination bucket
const targetCredentials = new aws.Credentials({
accessKeyId: assumedRole.Credentials?.AccessKeyId,
secretAccessKey: assumedRole.Credentials?.SecretAccessKey,
sessionToken: assumedRole.Credentials?.SessionToken,
});
const targetS3 = new aws.S3({
credentials: targetCredentials
});
const sourceBucket = 'SourceBucket-Name';
const destinationBucket = 'DestinationBucket-Name' ;
let foldername = 'feed'
const copyParams = {
Bucket: destinationBucket,
CopySource: `/${sourceBucket}/<Filename>`,
Key: feed + '/' + fileKey
};
return sourceS3.copyObject(copyParams, (err, data) => {
if (err) {
logger.error('Error while copying file(s): ' + err);
return res.status(500).send({status: 'Error while copying file(s).'})
} else {
logger.info("Object copied successfully: ", data);
}
})
I can move the file successfully. But If I try to get the uploaded file using IAM user (with AmazonS3FullAccess policy) using AWS SDK, it says access denied. Even I've added permission to the Bucket policy as well. But of no use.
When I opened the file using the account's root user, it showed the below error.
Please let us know if I am correctly moving the file b/w the buckets.
Please help to overcome this issue.
Thanks in advance
Siva
The user is in a destination account.
Hi Siva,
Looks like the permissions are not set appropriately in the destination account. It would be useful to share the bucket policy in the destination account.
The article I shared earlier provides a good overview of what is needed.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<SourceAccount-ID>:user/<SourceUser>" }, "Action": [ "s3:ReplicateObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:GetObject", "s3:PutObjectRetention", "s3:RestoreObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::easedev-fileserver/*" } ] }
Hi Mukul,
I've followed the steps mentioned in https://repost.aws/en/knowledge-center/copy-s3-objects-account post.
I'm getting an access denied error while trying to upload a file.
Here is the bucket policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::692352210126:user/s3user" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::easedev-fileserver/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::692352210126:user/s3user" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::easedev-fileserver" } ] }
Source account user policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::nww-fileserver-bucket", "arn:aws:s3:::nww-fileserver-bucket/" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::easedev-fileserver", "arn:aws:s3:::easedev-fileserver/" ] } ] }