Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS permissions required for sync

I have a windows machine that need to sync a folder with S3.

I try

"C:\Program Files\amazon\AWSCLI\aws.exe" s3 sync components  s3://test/MyTest/ --acl public-read -- cache-control "public, must-revalidate, proxy-revalidate, max-age=1800" 

got error "A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied"

s3 rm and s3 cp for the same directory works fine.

I have the following permissions :

"Sid": "VisualEditor4",             "Effect": "Allow",             "Action": [                 "s3:PutObject",                 "s3:PutObjectAcl"             ],             "Resource":   
like image 621
Mor Lajb Avatar asked Feb 20 '18 21:02

Mor Lajb


People also ask

What is the difference between Sync and CP AWS?

aws s3 cp will copy all files, even if they already exist in the destination area. It also will not delete files from your destination if they are deleted from the source. aws s3 sync looks at the destination before copying files over and only copies over files that are new and updated.

How does aws s3 sync work?

The s3 sync command synchronizes the contents of a bucket and a directory, or the contents of two buckets. Typically, s3 sync copies missing or outdated files or objects between the source and target.

What is AWS sync command?

AWS sync command recursively copies new and updated files from the source ( Directory or Bucket/Prefix ) to the destination ( Directory or Bucket/Prefix ). AWS sync command only creates folders within the destination if they contain one or more files.

Does aws s3 overwrite sync?

It only copies files that have been added or changed since the last sync. It is designed as a one-way sync, not a two-way sync. Your file is being overwritten because the file in the Source is not present in the Destination. This is correct behavior.


2 Answers

You need all this actions:

  • s3:DeleteObject
  • s3:GetBucketLocation
  • s3:GetObject
  • s3:ListBucket
  • s3:PutObject

Not only PutObject, for get work S3 Sync, use this policy:

{     "Version": "2012-10-17",     "Statement": [         {             "Resource": [                 "arn:aws:s3:::YOUR_BUCKET_NAME",                 "arn:aws:s3:::YOUR_BUCKET_NAME/*"             ],             "Sid": "Stmt1464826210000",             "Effect": "Allow",             "Action": [                 "s3:DeleteObject",                 "s3:GetBucketLocation",                 "s3:GetObject",                 "s3:ListBucket",                 "s3:PutObject"             ]         }     ] } 
like image 58
JorgeM Avatar answered Oct 03 '22 21:10

JorgeM


Synchronizing files also requires READ permissions because the AWS Command-Line Interface (CLI) needs to view the existing files to determine whether they already exist or have been modified.

Thus, you will also need to grant ListBucket permission.

If you use aws s3 cp instead of aws s3 sync, then this is not required.

like image 26
John Rotenstein Avatar answered Oct 03 '22 22:10

John Rotenstein