I am trying to transfer the S3 bucket contents using the AWS CLI from
AWS account A -> Tokyo region (ap-northeast-1) -> S3 bucket -> account1bucket
To
AWS account B -> N.Virginia region (us-east-1) -> S3 bucket -> account2bucket
Followed the steps from https://aws.amazon.com/premiumsupport/knowledge-center/account-transfer-s3/ by creating the exact bucket policies,IAM policy and executed the following command:
aws s3 sync s3://account1bucket s3://account2bucket
That’s giving me the following error :
object explorer, bucket explorer using Access ID/Secret Key and able to successfully connect to AWS account A but not AWS account B. The only difference i could see is MFA is enabled on AWS account B.Technically this shouldn't be a problem as i am able to publish contents to AWS account B S3 buckets from Jenkins using Access ID/Secret Key successfully.
Following are the policy's i have defined at the Source bucket level and the destination user acconut level:
AWS account A S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "delegates3access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWSAccountB:user/[email protected]"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::account1bucket/*",
"arn:aws:s3:::account1bucket"
]
}
]
}
AWS account B user policy :
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::account1bucket",
"arn:aws:s3:::account1bucket/*",
"arn:aws:s3:::account2bucket",
"arn:aws:s3:::account2bucket/*"
]
}
}
aws s3 synccommand should work. Please note that permissions can only be granted by the account that 'owns' the bucket, so the User B policy you have shown cannot grant access toaccount1bucket. The Account A Bucket Policy looks generally correct, but it sounds like it is not working, so keep working on fixing that policy. - John Rotenstein