Is it possible using AWS CLI to copy the contents of S3 buckets between AWS accounts? I know it's possible to copy/sync between buckets in the same account, but I need to get the contents of an old AWS account into a new one. I have AWS CLI configured with two profiles, but I don't see how I can use both profiles in a single copy/sync command.
问问题
9479 次
4 回答
20
很简单。比方说:
旧 AWS 账户 = old@aws.com
新 AWS 账户 = new@aws.com
以身份登录 AWS 控制台old@aws.com
转到您选择的存储桶并应用以下存储桶策略:
{
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket_name",
"Principal": {
"AWS": [
"account-id-of-new@aws.com-account"
]
}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket_name/*",
"Principal": {
"AWS": [
"account-id-of-new@aws.com-account"
]
}
}
]
}
我猜想,bucket_name并且account-id-of-new@aws.com-account1在上述政策中对你来说很明显
现在,确保您AWS-CLI使用以下凭据运行new@aws.com
运行以下命令,复制将像魅力一样发生:
aws s3 cp s3://bucket_name/some_folder/some_file.txt s3://bucket_in_new@aws.com_acount/fromold_account.txt
当然,请确保new@aws.com对他自己的存储桶具有写入权限,该存储桶bucket_in_new@aws.com_acount在上述命令中用于保存从old@aws.com存储桶复制的内容。
希望这可以帮助。
于 2014-03-09T13:44:02.980 回答
6
好的,我现在有这个工作!感谢您的回答。最后,我使用了@slayedbylucifer 和@Sony Kadavan 之间的组合。对我有用的是新的存储桶策略和新的用户策略。
我添加了以下存储桶策略(帐户 A):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::myfoldername",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:user/myusername"
]
}
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::myfoldername",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:user/myusername"
]
}
}
]
}
以及以下用户政策(帐户 B):
{
"Version": "2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":"s3:*",
"Resource":"arn:aws:s3:::myfoldername/*"
}
}
并使用了以下 aws cli 命令(需要 region 选项,因为帐户位于不同的区域):
aws --region us-east-1 s3 sync s3://myfoldername s3://myfoldername-accountb
于 2014-03-09T20:41:34.167 回答
1
Yes, you can. You need to first create an IAM user in the second account and delegate permissions to it - read/write/list on specific S3 bucket. Once you do this then provide this IAM users's credentials to your CLI and it will work.
How to delegate permissions: Delegating Cross-Account Permissions to IAM Users - AWS Identity and Access Management : http://docs.aws.amazon.com/IAM/latest/UserGuide/DelegatingAccess.html#example-delegate-xaccount-roles
Sample S3 policy for delegation:
{
"Version": "2012-10-17",
"Statement" : {
"Effect":"Allow",
"Sid":"AccountBAccess1",
"Principal" : {
"AWS":"111122223333"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::mybucket/*"
}
}
When you do this on production setups, be more restrictive in the permissions. If your need is to copy from a bucket to another. Then on one side, you need to give only List and Get (not Put)
于 2014-03-08T02:52:38.637 回答
1
在我的情况下,下面提到的命令会起作用,希望这也对你有用。我在不同地区有两个不同的 AWS 账户,我想将我的旧存储桶内容复制到一个新的存储桶中。我为 AWS CLI 配置了两个配置文件。
使用了以下 aws cli 命令:
aws s3 cp --profile <profile1> s3://source_bucket_path/ --profile <profile2> s3://destination_bucket_path/ --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers --recursive
于 2017-03-03T11:39:27.220 回答