Can't download files uploaded by shared account s3 bucket

 

I have created a bucket on amazon s3 and added bucket policy giving another user account access to upload files to it. I added the following bucket policy.

However, now I am myself unable to download the files uploaded by the sharer. I guess I havn't given them acl rights. How should I proceed to download the files. Can they grant permission from their end for their uploaded files? 

{
    "Version": "2008-10-17",
    "Id": "Policyxxxxxxxxxxxx",
    "Statement": [
        {
            "Sid": "Stmtxxxxxxxxxxxxx",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_number>:root"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>/*"
        },
        {
            "Sid": "Stmtxxxxxxxxxxx",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_number>:root"
            },
            "Action": [
                "s3:PutBucketLogging",
                "s3:PutBucketNotification",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>"
        }
    ]
}

So the problem is that the amazon s3 bucket applies bucket policy to only objects owned by bucket owner. So if you are the bucket owner and gave put object permission through bucket policy that mean you also need to make sure they give you permission during the object upload. While granting cross-account permissions to upload objects one can restrict only objects which comes with read permission only.

Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html Related discussion : https://forums.aws.amazon.com/thread.jspa?messageID=524342&%20#524342 Example bucket policy : 

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"111",
         "Effect":"Allow",
         "Principal":{
            "AWS":"1111111111"
         },
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::examplebucket/*"
      },
      {
         "Sid":"112",
         "Effect":"Deny",
         "Principal":{
            "AWS":"1111111111"
         },
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::examplebucket/*",
         "Condition":{
            "StringNotEquals":{
               "s3:x-amz-grant-full-control":[
                  "emailAddress=xyz@amazon.com"
               ]
            }
         }
      }
   ]
}

I faced a similar problem

I copied files from <sharerprofile> to a new amazon account in the bucket <bucketname> and i could not download the files from the new amazon account because of access protection.

So i did the following : 

aws --profile <sharerprofile> s3api put-object-acl --acl authenticated-read --bucket <bucketname> --key <pathofthefileInBucket>

I did not find how to do this automatically for multiple files, so i had to repeat the same command for each file

Was facing a similar situation that the destination account was not granted full access that the bucket policy granting cloudfront read access does not work.

In addition to OP's "s3:x-amz-grant-full-control":[ "emailAddress=xyz@amazon.com" ] , or id=xxx , another way is to use the Canned ACL. By using the bucket-owner-full-control , we do not have to list a specific email or canonical id. 

{
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{"AWS":"111111111111"},
      "Action":"s3:PutObject",
      "Resource":["arn:aws:s3:::examplebucket/*","arn:aws:s3:::examplebucket"]
    },
    {
      "Effect":"Deny",
      "Principal":{"AWS":"111111111111"},
      "Action":"s3:PutObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition": {
        "StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
      }
    }
  ]
}
链接地址: http://www.djcxy.com/p/59952.html

上一篇: 我可以从命令行获取用户的s3规范ID吗?

下一篇: 无法下载共享帐户s3存储区上传的文件