PERMISSION_DENIED while transferring from S3 to GCS

0
votes

I'm new to GCS, and hopefully can explain my problem well. I have S3 for backing up my Aperture/Photos from my Macbook to the cloud. I want to migrate that data to GCS for ease of use, better interface, gsutil, etc.

I used the Transfer Data utility on the GCS website, and have entered my S3 credentials (Access Key and Secret Key). I have enabled interoperability, as well as generated a key in GCS, even though I don't think it was necessary.

Within S3, I created a user in IAM (GoogleTransfer), and created an inline policy for that user with all options selected except for the ones that start with Delete*. Those permissions are:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "<my ID>",
        "Effect": "Allow",
        "Action": [
            "s3:AbortMultipartUpload",
            "s3:CreateBucket",
            "s3:GetAccelerateConfiguration",
            "s3:GetBucketAcl",
            "s3:GetBucketCORS",
            "s3:GetBucketLocation",
            "s3:GetBucketLogging",
            "s3:GetBucketNotification",
            "s3:GetBucketPolicy",
            "s3:GetBucketRequestPayment",
            "s3:GetBucketTagging",
            "s3:GetBucketVersioning",
            "s3:GetBucketWebsite",
            "s3:GetLifecycleConfiguration",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:GetObjectTorrent",
            "s3:GetObjectVersion",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectVersionTorrent",
            "s3:GetReplicationConfiguration",
            "s3:ListAllMyBuckets",
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads",
            "s3:ListBucketVersions",
            "s3:ListMultipartUploadParts",
            "s3:PutAccelerateConfiguration",
            "s3:PutBucketAcl",
            "s3:PutBucketCORS",
            "s3:PutBucketLogging",
            "s3:PutBucketNotification",
            "s3:PutBucketPolicy",
            "s3:PutBucketRequestPayment",
            "s3:PutBucketTagging",
            "s3:PutBucketVersioning",
            "s3:PutBucketWebsite",
            "s3:PutLifecycleConfiguration",
            "s3:PutReplicationConfiguration",
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:PutObjectVersionAcl",
            "s3:ReplicateDelete",
            "s3:ReplicateObject",
            "s3:RestoreObject"
        ],
        "Resource": [
            "arn:aws:s3:::*"
        ]
    }
]

}

I initiate the transfer in GCS, and it starts to copy files. It gets the folder structure, but then issues errors:

PERMISSION_DENIED: (showing 5 of 104342 failures)
Object: Aperture Library.aplibrary/Database/Albums/L2z6kBLyQPKRGvv8Jp%yig.apalbum
Object: Aperture Library.aplibrary/Database/Albums/LxYeHbbiSgaQzhjBgpbJBg.apalbum
Object: Aperture Library.aplibrary/Database/Albums/TT+4B27jQx+Us1lc3XJszQ.apalbum

PERMISSION_DENIED: (showing 5 of 104342 failures)
Object:
Object:
Object:
Object:
Object:

I have tried this multiple times using Group permissions in S3 set as Admin, using the inline policy, and combining the two. Also, I've checked the box to overwrite the GCS files even if the source is different. It gets the folder structure, and a lot of files, but then hits these objects and stops.

My next attempt is to use gsutil to find out exactly where the issue is occurring, but I have a feeling that will turn up the same results.

Any advice?

Thanks!

==============

UPDATE:

As expected, gsutil issued error, although this time I'm able to see that it isn't working immediately, instead of waiting for the GCS Transfer function to end. My output:

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidObjectState</Code><Message>The operation is not valid for the object's storage class</Message><RequestId>MyReqID</RequestId><HostId>MyHostID</HostId></Error>

Copying s3://benmctee-aperture/Aperture Library.aplibrary/Database/Albums/CtW8oCcESyOINcweX1imtQ.apalbum [Content-Type=application/octet-stream]...
Copying s3://benmctee-aperture/Aperture Library.aplibrary/Database/Albums/DFVs%e5uSwqZ16gNqgycPQ.apalbum [Content-Type=application/octet-stream]...
Copying s3://benmctee-aperture/Aperture Library.aplibrary/Database/Albums/DLYiL8uITfuo6zLqdgYr1w.apalbum [Content-Type=application/octet-stream]...
Copying s3://benmctee-aperture/Aperture Library.aplibrary/Database/Albums/D7UOGRrXS3muB2ilQ80Fmw.apalbum [Content-Type=application/octet-stream]...
Exception in thread Thread-85:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 763, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/daisy_chain_wrapper.py", line 197, in PerformDownload
    decryption_tuple=self.decryption_tuple)
  File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/cloud_api_delegator.py", line 252, in GetObjectMedia
    decryption_tuple=decryption_tuple)
  File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/boto_translation.py", line 493, in GetObjectMedia
    generation=generation)
  File "/usr/lib/google-cloud-sdk/platform/gsutil/gslib/boto_translation.py", line 1430, in _TranslateExceptionAndRaise
    raise translated_exception
AccessDeniedException: AccessDeniedException: 403 InvalidObjectState
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidObjectState</Code><Message>The operation is not valid for the object's storage class</Message><RequestId>MyReqID</RequestId><HostId>MyHostID</HostId></Error>
1
amazon-s3google-cloud-storage

1 Answers

0
votes

Are these objects stored in Amazon Glacier? "InvalidObjectState" is the error that S3 would get if you try to read objects from Amazon Glacier but haven't yet "restored" the objects.

If this is the case, be aware that restoring the objects from Amazon Glacier can take hours and, depending on how much there is and many other factors, can be very expensive.