Thank you for reading this post, don't forget to subscribe!
Need to add the policy to the source s3 bucket
Example on test-dev bucket https://s3.console.aws.amazon.com/s3/buckets/test-dev?region=us-east-1&tab=permissions
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSESPuts-1627038180448", "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::test-dev/*", "Condition": { "StringEquals": { "aws:Referer": "399987726867" } } }, { "Sid": "DelegateS3Access", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111111111:root" #destination account }, "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:GetObjectVersion", "s3:GetObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::test-dev/*", "arn:aws:s3:::test-dev" ] } ] } |
Create a policy in the destination account 2222222222
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::test-dev", # Source bucket "arn:aws:s3:::test-dev/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::test-staging", # Destination bucket "arn:aws:s3:::test-staging/*" ] } ] } |
- Use this command to sync data
IMPORTANT!
The above command should be executed with destination AWS IAM user account credentials only otherwise the copied objects in the destination S3 bucket will still have the source account permissions and won’t be accessible by destination account users.
1 2 |
aws s3 sync s3://test-dev s3://test-staging ## aws s3 sync s3://SOURCE-BUCKET-NAME s3://DESTINATION-BUCKET-NAME |
ну и на скоряк можно сделать так:
kubectl run --rm -it --tty connect-to-s3 --image=ubuntu --restart=Never -n dev -- bash
apt-get update
apt-get install curl unzip -y
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86\_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install
mkdir ~/.aws
cat > ~/.aws/credentials
1 2 3 4 5 6 7 8 9 10 |
[test-long-term] aws_access_key_id = aws_secret_access_key = [test] assumed_role = False aws_access_key_id = aws_secret_access_key = aws_session_token = aws_security_token = |
cat > ~/.aws/config
1 2 3 4 5 6 7 |
[profile test] region = ap-southeast-1 [profile test1] output = json role_arn = arn:aws:iam::11111111:role/administrator source_profile = test |
export AWS_PROFILE=test1
aws s3 sync s3://SOURCE-BUCKET-NAME s3://DESTINATION-BUCKET-NAME