Question 266600 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Is it possible to use two different profiles on the aws cli in the same command?

This is related to, but different from How to use multiple AWS accounts from the command line?

I would like to sync one AWS bucket to another across two accounts. I have credentials for both accounts set up on my local machine, and I can, for example, do

$ aws s3 sync s3://my-first-bucket/ ./
# or
$ aws s3 sync ./ s3://my-other-bucket --profile other_account

But I’d like to be able to transfer from the default account directly to the bucket on the other account without needing to download and then re-upload. In other words, something like

aws s3 sync --profile default s3://my-first-bucket/ --profile other_account s3://my-other-bucket

Can this be accomplished?

Tags:

2

Answers


  1. 0

    AWS has a prescriptive guidance on how to do exactly that.

    In a nutshell, doing what you want the way you want is not the way things are done in S3.

    Basically, your model of doing things would involve two different S3 agents running with two sets of credentials. One has the permissions to read source data, another one has the permissions to write destination data, and they engage in a copying session, sending and receiving data and coordinating their progress.

    It would not be technically impossible to program S3 like that, because that what you would be essentially doing if you just piped two aws commands into one another on your local machine. But it’s not been done this way.

    Insted, copy and sync are uniform commands running with the a single set of credentials on the target account. These credentials should have the permissions to both read the source data and write the target data. These permissions are set on the bucket level and/or the object level.

    If you want the S3 copies to run completely within S3, you’ll need to run the command on the target account and grant it permissions on the bucket belonging to the source account.

    If you don’t want to deal with cross-accounts permissions, you’ll have to use some kind of an intermediate solution which would read the data from the source and write it to the target using two sets of credentials. There are lots of third-party solutions doing that, such as rclone.

    Login or Signup to reply.
  2. 0

    To use a single set of credentials, you could add a Bucket Policy to one of the buckets, which would permit credentials from a different AWS Account to access the bucket.

    Option 1: Push

    • Use credentials from the ‘source’ AWS Account
    • Add a Bucket Policy on the ‘destination’ bucket that permits PutObject for the credentials from the ‘source’ account
    • Also, make sure that you specify ACL=bucket-owner-full-control when performing the copy, or that the destination bucket has ACLs disabled. This ensures that the AWS Account owning the destination bucket has control of the objects

    Option 2: Pull

    • Use credentials from the ‘destination’ AWS Account
    • Add a Bucket Policy on the ‘source’ bucket that permits GetObject for the credentials from the ‘destination’ account
    • (The ACL recommendations above are not required for ‘pull’ copies)
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search