问题描述
我有一个应用程序,可以将一些文件上传(复制)到另一个AWS账户中的S3存储桶中,我使用来自AWS开发工具包(Nodejs)的copyObject命令
I have an application which upload ( copy ) some files to a S3 bucket in another AWS account, I use copyObject command from AWS SDK ( Nodejs )
var params = {
Bucket: "MyBucket_AccountB",
CopySource: encodeURI('/Accunt_A_Bocket/file.png'),
Key: "file.png",
ACL: 'bucket-owner-full-control'
};
s3.copyObject(params, function(err, datas) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(datas); // successful response
});
此代码是从另一个AWS帐户运行的,例如AWS_ACCOUNT_A
,并且文件已上传到AWS_ACCOUNT_B
中的S3存储桶.问题是,当文件上传到此存储桶时,该文件的所有权,仍为AWS_ACCOUNT_A
.
This code, run from a diffrent AWS Account, let's say, AWS_ACCOUNT_A
, and the files uploaded to a S3 bucket in AWS_ACCOUNT_B
The thing is, when it upload the files to this bucket, the ownership of this files, are still AWS_ACCOUNT_A
.
我想知道在上传文件时应该如何赋予文件所有权给AWS_ACCOUNT_B
.这里有人可以给我一些指导吗?
I want to know what should I do to give ownership of files to AWS_ACCOUNT_B
, while uploading them. Anyone here can give me some guidance?
更新:
我使用了此政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MY_ACCOUNT_B_ID:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::MYBUCKET_IN_ACCOUNT_A",
"arn:aws:s3:::MYBUCKET_IN_ACCOUNT_A/*"
]
}
]
}
但是上载的文件仍归Account_A
所有,我在政策中做错了什么吗?
but the uploaded files are still owned by Account_A
, Did I do anything wrong in the policy?
推荐答案
如果必须将文件从帐户A复制到帐户B,则在写入文件之前,应让帐户A在帐户B中扮演角色.如果由于某种原因您不能在帐户B中扮演某个角色,那么可以将访问权限设置为允许对存储桶拥有者进行完全控制:
If you have to copy a file from account A to account B, then you should have account A assume a role in account B before writing the file. If for some reason you can't assume a role in account B to do it, then you can set the access to allow full control to the bucket owner:
aws s3 cp --acl bucket-owner-full-control localFile s3://bucketname/path/filename
存储桶拥有者可以使用以下规则来强制执行此要求:
The bucket owner can enforce this requirement with the following rule:
{
"Sid": "CrossAccountWritePermissionsDenier",
"Effect": "Deny",
"Principal": {
"AWS": "arn-of-account-A-pusher"
},
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucketname/path/given/access/*",
"arn:aws:s3:::bucketname/other/path/given/access/*"
],
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
此方法的一个警告是,如果您拥有一个帐户C(读取者),并且帐户B(存储桶拥有者)也被授予了帐户A(写入者)将文件推送到其中的路径的读取特权,则帐户C将无法读取帐户A推送的文件,因为它们实际上不是帐户B拥有的.这是您面临的问题.
One caveat to this approach is that if you have an account C (reader) which was also granted read privileges by account B (bucket owner) for the path that account A (writer) pushed a file into, then account C will not be able to read files pushed by account A since they aren't actually owned by account B. This is the issue you are facing.
如果在推送之前帐户A承担了帐户B的角色,则文件将由帐户B拥有,因此,帐户C将能够读取该文件.否则,帐户B将必须移动文件(因为帐户B具有完全访问权限),然后帐户C将能够在其新位置读取文件.
If account A instead assumed a role in account B before pushing, then the file would be owned by account B, and therefore, account C would be able to read it. Otherwise, account B will have to move the file (since account B has full access) and then account C will be able to read the file in its new location.
理论上,您可以通过从存储桶所有者的角色将文件复制到自身来更改所有权:
In theory, you can change ownership by copying the file to itself from the bucket owner's role:
aws s3 cp s3://bucketname/path/filename s3://bucketname/path/filename
但是,除非您要进行某些更改(例如所有者,元数据,acl等),否则它将不允许您执行此操作.因此,您只能从存储桶拥有者的角色执行此操作,而不能从原始(非存储桶拥有者)上传者的角色执行此操作.
It will not let you do this, however, unless you are changing something (such as the owner, metadata, acl, etc). So you can only do this from the bucket owner's role, not from the original (non-bucket-owner) uploader's role.
这篇关于跨帐户上传时如何更改S3文件所有权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!