AWS S3 - Copy files owned by one account in a bucket owner by another account

0
votes

I have 3 AWS accounts:

  • S3 Owner
  • Account A
  • Account B

I have a bucket owned by the "S3 Owner" account which has a bucket policy on it to allow both the A and B accounts to have full access on the bucket and the object. I also have the ACL setup so that the A and B accounts have full access to the objects too.

I am trying to have either account A or B upload an object to the bucket but allow the other account to copy it. However, I keep getting an access denied exception. I would use a lambda to set the ACL on the object to the same as the bucket (all 3 ACLs) however that would require a lambda running in both account A and B which would have to figure out if it was the owner in order to set the ACL. Is there an easier way to achieve this?

2
amazon-web-servicesamazon-s3

2 Answers

1
votes

I’m having the same problem with you. I'm seeing that the bucket has full access to those objects. I tried 2 ways to copy the objects uploaded by account B to account A:

  1. Set bucket policy to allow account A to read anything in the bucket - still got access denied exception.
  2. Use assumed role to let account A to read anything in the bucket. - this successfully read objects but it failed copying (since the role I assumed does not write permission to account A).

I'm wondering what is the difference between these two ways of granting across account permission...

0
votes

When an object is created in / copied to an Amazon S3 bucket owned by another account, it is important to specify:

ACL = bucket-owner-full-control

This 'gives' the object to the account that owns the bucket.

If this is not specified, then the object is (strangely) 'owned' by the source account and (even more strangely) the account that owns the bucket often can't even delete the object from their own bucket!

Also, FYI, to grant access to Accounts A and B, you can simply use a Bucket Policy. There is no need to do anything with the ACLs. (In fact, there is rarely ever any need to play with the ACLs, except for bucket-owner-full-control and making individual objects public with public-read.