I want to copy the contents of an Amazon S3 bucket from Account-A to Account-B.
I tried running this AWS CLI command:
aws s3 cp s3://bucketA s3://bucketB --recursive --acl bucket-owner-full-control
It gives the error:
An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied
I have given s3:getobject and s3:putobject permissions to both the buckets.
2
Answers
If encryption is involved then you’ll get an access denied message if you don’t have kms permissions to the key used for the bucket/content.
Try adding kms permissions if relevant.
Also, cloudtrail can provide better error information if you have it enabled.
[edit]
One other thing, you need s3:list* to query the buckets to begin with usually, before you narrow down to specific bucket permissions.
Generally try with s3:* and kms:* and if it works, narrow down from there.
When copying data between Amazon S3 buckets that belong to different AWS Accounts, you will need to use a single AWS credential (eg IAM User) that has read permission on the source bucket and write on the destination bucket.
This requires permissions to be configured in both the source account and the destination account. The configuration varies depending upon whether the IAM User belongs to the source account or the destination account.
If using credentials from the source account
--acl bucket-owner-full-controlto grant ownership to the destination accountIf using credentials from the destination account