Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Transfer From S3 to Google Storage - Incorrect Key

Tags:

amazon-s3

file-transfer

google-cloud-storage

I've been trying for past couple of hours to setup a transfer from S3 to my google storage bucket.

The error that i keep getting, when creating the transfer is: "Invalid access key. Make sure the access key for your S3 bucket is correct, or set the bucket permissions to Grant Everyone."

Both the access key and the secret are correct, given that they are currently in use in production for S3 full access.

Couple of things to note:

  1. CORS-enabled on S3 bucket
  2. Bucket policy only allows authenticated AWS users to list/view its contents
  3. S3 requires signed URLs for access

Bucket Policy:

{
    "Version": "2008-10-17",
    "Id": "Policy234234234",
    "Statement": [
        {
            "Sid": "Stmt234234",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetObjectAcl",
                "s3:RestoreObject",
                "s3:GetObjectVersion",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectVersionAcl"
            ],
            "Resource": "arn:aws:s3:::mybucket/*"
        },
        {
            "Sid": "2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity xyzmatey"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*"
        },
        {
            "Sid": "3",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::mybucket"
        }
    ]
}

CORS Policy

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>http://www.mywebsite.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedHeader>AUTHORIZATION</AllowedHeader>
    </CORSRule>
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>HEAD</AllowedMethod>
        <AllowedHeader>AUTHORIZATION</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

Any idea where i have gone wrong?

EDIT: I've setup the gsutil tool on a google compute instance and did a copy with the same AWS keys on the exact bucket. Worked like a charm..

like image 290
Mysteryos Avatar asked Feb 04 '16 18:02

Mysteryos

People also ask

How do I resolve access denied errors when uploading files to S3 with KMS default encryption?

To solve the access denied error, click Edit in the upper-right corner of the Default encryption area, and change the AWS KMS key to "Choose from your AWS KMS keys" or "Enter AWS KMS key ARN", or change the server-side encryption type to "AWS S3 Managed Key (SSE-S3).

Is S3 key value based?

Capacity and data structures S3 provides tools for uploading large objects in parts and migrating big data into storage. AWS S3 is a key-value store, one of the major categories of NoSQL databases used for accumulating voluminous, mutating, unstructured, or semistructured data.

Is Google cloud storage compatible with S3?

You can use Google Cloud Storage as a Content Platform Engine S3 Advanced Storage Device with certain restrictions and limitations. The Google Object Storage documentation (https://cloud.google.com/storage/docs/migrating), describes two different ways for using the AWS S3 interface to access Google Cloud Storage.

Where is my S3 key?

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, choose the bucket that you want to enable an S3 Bucket Key for. Choose Properties. In the Default encryption section, under Bucket Key, you see the S3 Bucket Key setting for your bucket.

3 Answers

I'm one of the devs on Transfer Service.

You'll need to add "s3:GetBucketLocation" to your permissions.

It would be preferable if the error you received was more specifically about your ACLs, however, rather than an invalid key. I'll look into that.

EDIT: Adding more info to this post. There is documentation which lists this requirement: https://cloud.google.com/storage/transfer/

Here's a quote from the section on "Configuring Access":

"If your source data is an Amazon S3 bucket, then set up an AWS Identity and Access Management (IAM) user so that you give the user the ability to list the Amazon S3 bucket, get the location of the bucket, and read the objects in the bucket." [Emphasis mine.]

EDIT2: Much of the information provided in this answer could be useful for others, so it will remain here, but John's answer actually got to the bottom of OP's issue.

like image 174
Jacob Criner Avatar answered Oct 11 '22 19:10

Jacob Criner

I am an engineer on Transfer service. The reason you encountered this problem is that AWS S3 region ap-southeast-1 (Singapore) is not yet supported by the Transfer service, because GCP does not have networking arrangement with AWS S3 in that region. We can consider to support that region now but your transfer will be much slower than other regions.

On our end, we are making a fix to display a clearer error message.

like image 44
John Avatar answered Oct 11 '22 18:10

John

You can also get the 'Invalid access key' error if you try to transfer a subdirectory rather than a root S3 bucket. For example, I tried to transfer s3://my-bucket/my-subdirectory and it kept failing with the invalid access key error, despite me giving read permissions to google for the entire S3 bucket. It turns out the google transfer service doesn't support transferring subdirectories of the S3 bucket, you must specify the root as the source for the transfer: s3://my-bucket.

like image 3
Josh Avatar answered Oct 11 '22 17:10

Josh
Sign in to Comment

Related questions

Retrieving Etag of an s3 object using boto3 client
Serve index file instead of download prompt
When using Cognito credentials with AWS in a browser (javascript), keep getting "missing credentials" error
How to upload a folder to aws s3 recursivly using ansible
S3: ExpiredToken error for S3 pre-signed url within expiry period
Get aws bucket content listing using Postman - "Get Bucket (Version 2)" RestAPI
An error occurred (AccessDenied) when calling the DeleteBucket operation: Access Denied
aws s3 sync --recursive not working in windows
AWS Lambda using s3 getObject function nothing happening
s3.getObject().promise() never returns anything
Amazon S3 POST upload in iOS
python s3 boto connection.close causes an error
Upload Images to Amazon S3 using Django
CloudFront is not correctly passing back the Access-Control-Allow-Origin header from S3
AWS Lambda (Python) Fails to unzip and store files in S3
Why is input_file_name() empty for S3 catalog sources in pyspark?
InternalError_: Spectrum Scan Error. S3 to Redshift copy command
I got de error when I tried install composer league/flysystem-aws-s3-v3
PyParsing OR statement
S3: How to grant access to multiple buckets?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!