I was struggling with this, too, but I found an answer over here //stackoverflow.com/a/17162973/1750869 that helped resolve this issue for me. Reposting answer below.
You don't have to open permissions to everyone. Use the below Bucket policies on source and destination for copying from a bucket in one account to another using an IAM user
Bucket to Copy from – SourceBucket
Bucket to Copy to – DestinationBucket
Source AWS Account ID - XXXX–XXXX-XXXX
Source IAM User - src–iam-user
The below policy means – the IAM user - XXXX–XXXX-XXXX:src–iam-user has s3:ListBucket and s3:GetObject privileges on SourceBucket/* and s3:ListBucket and s3:PutObject privileges on DestinationBucket/*
On the SourceBucket the policy should be like:
{
"Id": "Policy1357935677554",
"Statement": [
{
"Sid": "Stmt1357935647218",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::SourceBucket",
"Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
},
{
"Sid": "Stmt1357935676138",
"Action": ["s3:GetObject"],
"Effect": "Allow",
"Resource": "arn:aws:s3::: SourceBucket/*",
"Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
}
]
}
On the DestinationBucket the policy should be:
{
"Id": "Policy1357935677554",
"Statement": [
{
"Sid": "Stmt1357935647218",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3::: DestinationBucket",
"Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
},
{
"Sid": "Stmt1357935676138",
"Action": ["s3:PutObject"],
"Effect": "Allow",
"Resource": "arn:aws:s3::: DestinationBucket/*",
"Principal": {"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/src–iam-user"}
}
]
}
command to be run is s3cmd cp s3://SourceBucket/File1 s3://DestinationBucket/File1
But I have a IAM policy set and using aws CLI with –profile that has the policy attached. IAM policy:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 { "Version":"2012-10-17", "Statement":[ { "Sid":
"VisualEditor0", "Effect":"Allow", "Action":"s3:ListBucket", "Resource":
"arn:aws:s3:::my-repository" }, { "Sid":"VisualEditor1", "Effect":
"Allow", "Action":[ "s3:GetObjectAcl", "s3:GetObject",
"s3:GetObjectTagging", "s3:DeleteObject" ], "Resource":
"arn:aws:s3:::my-repository/data/*" } ] } aws--profile my-repository s3 ls An error occurred
[AccessDenied]when calling the ListBuckets operation:Access DeniedQuestion:
enter code here
getting: An error occurred [AccessDenied] when calling the ListBuckets operation: Access Denied
Answer:
You need the following IAM permission to do aws s3 ls
:
{ "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action":"s3:ListAllMyBuckets", "Resource":"*" } ] } |