Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How change S3 file ownership while cross-account uploading

I have an application which upload ( copy ) some files to a S3 bucket in another AWS account, I use copyObject command from AWS SDK ( Nodejs )

var params = {
      Bucket: "MyBucket_AccountB", 
      CopySource: encodeURI('/Accunt_A_Bocket/file.png'),
      Key: "file.png",
      ACL: 'bucket-owner-full-control'
     };
s3.copyObject(params, function(err, datas) {
    if (err) console.log(err, err.stack); // an error occurred
    else     console.log(datas);           // successful response
});

This code, run from a diffrent AWS Account, let's say, AWS_ACCOUNT_A , and the files uploaded to a S3 bucket in AWS_ACCOUNT_B The thing is, when it upload the files to this bucket, the ownership of this files, are still AWS_ACCOUNT_A.

I want to know what should I do to give ownership of files to AWS_ACCOUNT_B, while uploading them. Anyone here can give me some guidance?

UPDATE :

I used this policy :

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Permissions",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::MY_ACCOUNT_B_ID:root"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::MYBUCKET_IN_ACCOUNT_A",
            "arn:aws:s3:::MYBUCKET_IN_ACCOUNT_A/*"
        ]
    }
]
}

but the uploaded files are still owned by Account_A, Did I do anything wrong in the policy?

like image 541
Emad Dehnavi Avatar asked Jul 26 '18 02:07

Emad Dehnavi


People also ask

How do I transfer ownership of Amazon S3 objects to a different AWS account?

You can't transfer Amazon S3 bucket ownership between AWS accounts because the bucket is always owned by the account that created it. Instead, you can copy Amazon S3 objects from one bucket to another so that you give ownership of the copied objects to the destination account.

How do I change ownership of a S3 object?

If you're trying to change object ownership for objects in an existing Amazon S3 bucket, choose the ACLs disabled option under S3 Object Ownership. This option allows the bucket owner full control over all the objects in the S3 bucket and transfers the ownership to the bucket owner's account.

When other AWS accounts upload objects to your bucket the objects remain owned by the bucket owner?

By default, in a cross-account scenario where other AWS accounts upload objects to your Amazon S3 bucket, the objects remain owned by the uploading account. When the bucket-owner-full-control ACL is added, the bucket owner has full control over any new objects that are written by other accounts.

How do I transfer S3 buckets from one account to another?

Create and attach an S3 bucket policy. Sign in to the AWS Management Console for your source account and open the Amazon S3 console. Choose your source S3 bucket and then choose Permissions. Under Bucket policy, choose Edit and then paste the bucket policy from the sourcebucket-policy.


1 Answers

If you have to copy a file from account A to account B, then you should have account A assume a role in account B before writing the file. If for some reason you can't assume a role in account B to do it, then you can set the access to allow full control to the bucket owner:

aws s3 cp --acl bucket-owner-full-control localFile s3://bucketname/path/filename

The bucket owner can enforce this requirement with the following rule:

{
    "Sid": "CrossAccountWritePermissionsDenier",
    "Effect": "Deny",
    "Principal": {
        "AWS": "arn-of-account-A-pusher"
    },
    "Action": [
        "s3:PutObject"
    ],
    "Resource": [
        "arn:aws:s3:::bucketname/path/given/access/*",
        "arn:aws:s3:::bucketname/other/path/given/access/*"
    ],
    "Condition": {
        "StringNotEquals": {
            "s3:x-amz-acl": "bucket-owner-full-control"
        }
    }
}

One caveat to this approach is that if you have an account C (reader) which was also granted read privileges by account B (bucket owner) for the path that account A (writer) pushed a file into, then account C will not be able to read files pushed by account A since they aren't actually owned by account B. This is the issue you are facing.

If account A instead assumed a role in account B before pushing, then the file would be owned by account B, and therefore, account C would be able to read it. Otherwise, account B will have to move the file (since account B has full access) and then account C will be able to read the file in its new location.

In theory, you can change ownership by copying the file to itself from the bucket owner's role:

aws s3 cp s3://bucketname/path/filename s3://bucketname/path/filename

It will not let you do this, however, unless you are changing something (such as the owner, metadata, acl, etc). So you can only do this from the bucket owner's role, not from the original (non-bucket-owner) uploader's role.

like image 85
Shadow Man Avatar answered Oct 12 '22 06:10

Shadow Man