List encrypted object in S3 using python boto3

0
votes

I am trying to move files from a S3 bucket in one account(source account) to S3 bucket in another account(destination account) I am using sagemaker notebook so I have a sagemaker role. I also have a role in my team account which has full s3 access and fullsagemaker access and in the trust relationship i have given the destination account role arn and sagemaker role arn. The destination account also has my team role arn and sagemaker role arn in its trust policy.

I am trying to assume my team role and then I will assume the destination role to copy files.

import boto3
                sts_client = boto3.client('sts')
            assumed_teamrole_object = sts_client.assume_role(DurationSeconds=1800,
                                                             RoleArn='myteamrole',
                                                             RoleSessionName='test1')
                assumed_destrole_object = sts_client.assume_role(DurationSeconds=1800,
                                                             ExternalId='externalid provided by destination account',
                                                             RoleArn='destination account role',
                                                             RoleSessionName='test2')
    temp_credentials = assumed_destrole_object['Credentials'] 
    session=boto3.session.Session(aws_access_key_id=temp_credentials['Access KeyyId'],
                                    aws_secret_access_key=temp_credentials['SecretAccessKey'],
                                    aws_session_token=temp_credentials['SessionToken'],
                                    region_name = 'us-east-1') 
    client = session.client('s3', aws_access_key_id=temp_credentials['AccessKeyId'],
                                    aws_secret_access_key=temp_credentials['SecretAccessKey'],
                                    aws_session_token=temp_credentials['SessionToken'],
                                    region_name = 'us-east-1')
    
        response = client.list_objects(Bucket='source bucket')
        print(response)

When I am running the above script I a getting the error :

An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied The objects in the source bucket are encrypted. Do I have to add any-permissions to decrypt on my end? Not sure why i am not able to list objects.

1
pythonamazon-web-servicesamazon-s3boto3
I don't think you are showing us your actual code, because it refers to client.list_objects(), but client does not exist. - John Rotenstein
@JohnRotenstein I have update the code. Sorry for the error - anaz8

1 Answers

1
votes

When copying files between S3 buckets that belong to different AWS accounts, you will need a single set of credentials that can read from the source bucket and write to the destination bucket.

If, instead, you are using two different credentials, then you will need to download the file with one set of credentials and then upload with another set of credentials, rather than copying the object in one operation.

Therefore, I recommend that you use one set of credentials (eg the myteamrole IAM Role) and then:

  • Attach a policy to the IAM Role that permits GetObject access on the source bucket, and
  • Attach a bucket policy to the destination bucket in the other AWS account that permits PutObject access from the above IAM Role

This will permit the CopyObject() operation with the one set of credentials.

I also recommend specifying ACL = bucket-owner-full-control when copying the object. This will grant ownership of the object to the destination AWS Account, which can avoid some permission problems. This will also require PutObjectAcl permissions on the Bucket Policy.