问题
We(account A) would like to use programmatically way to trigger athena query(startQueryExecution) in different aws account ( Account B), we use assumed role to achieve it. After athena query done, we are expecting that result should be written to our aws account s3 bucket (Account A). We managed to do so by setting both side IAM policy to allow B to write to A's S3 bucket.
However, it seemed S3 object in account A is still owned by Account B, user/role in account A has no access to those object.
I was thinking either ways to fix this, but I can not find any example of how to do either
somehow make sure athena writing to s3 with acl = bucket-owner-full-control somehow change s3 object acl to bucket-owner-full-control after object created
Any idea?
回答1:
As of now there is no direct way to give access to the s3 files written in Account A. One way we are solving this problem is writing the s3 file in Account B bucket and have a policy that gives access to Account A access to Account B s3 bucket and then read/process the files. Very hacky but works
来源:https://stackoverflow.com/questions/56572459/how-to-ensure-that-athena-result-s3-object-with-bucket-owner-full-control