Migrate S3 bucket error

0
votes

I want to migrate s3 bucket from one account to another account here is my bucket policy

{
    "Version": "2008-10-17",
    "Id": "Policy1335892530063",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxx:root"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::test123",
                "arn:aws:s3:::test123/*"
            ]
        },
        {
            "Sid": "Stmt1335892150622",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxx:root"
            },
            "Action": [
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy"
            ],
            "Resource": "arn:aws:s3:::test123"
        },
        {
            "Sid": "Stmt1335892526596",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxx:root"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::test123/*"
        }
    ]
}

here is my IAM user policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::*"]
    }
  ]
}

When I run command 

aws s3 sync s3://test123 s3://abc-test123

I get Error

A client error (AccessDenied) occurred when calling the CopyObject operation: Access Denied

2
amazon-web-servicesamazon-s3aws-cli

2 Answers

0
votes

Your bucket policy seems to be correct. Please verify that you are using root account, just as specified in your bucket policy. Also you may need to check if there is not any denied bucket policies on your destination bucket.

If nothing helps, you can enable temporary public access to your bucket as a workaround. Yes, it's not secure but it should probably work in all cases.

0
votes

Make sure you are providing adequate permissions on both the source bucket (to read) and the destination bucket (to write).

If you are using Root credentials (not generally recommended) for an Account that owns the bucket, you probably don't even need the bucket policy -- the root account should, by default, have the necessary access.

If you are assigning permissions to an IAM user, then instead of creating a Bucket Policy, assign permissions on the IAM user themselves. No need to supply a Principal in this situation.

Start by checking that you have permissions to list both buckets:

  • aws s3 ls s3://test123
  • aws s3 ls s3://abc-test123

Then check that you have permissions to copy a file from the source and to the destination:

  • aws s3 cp s3://test123/foo.txt .
  • aws s3 cp foo.txt s3://abc-test123/foo.txt

If they work, then the sync command should work, too.