问题
I'm hoping someone can help me with an Amazon S3 Cross Region Replication query. I have two Amazon AWS accounts, each with a bucket in a different region. I want to replicate the data from one bucket to another and from what I understand this should be a simple process to create. However, I'm really struggling and I don't know what I'm doing wrong. I've followed a lot of instructions online including going through various AWS tutorials, seeing lots of examples, but I can't get the data to replicate.
I have enabled versioning on both buckets and none of the data is encrypted. However I do have a policy in my source bucket that permits access to the source data through a referral condition so that the data (images in this case) can only be accessed through specific domains. This all works fine and I have a suspicion that this is what is perhaps restricting access from the destination bucket.
I have followed online instructions to set up the replication rules and IAM policies.
So, my source bucket policy is:-
{
"Version": "2012-10-17",
"Id": "http referrer policy",
"Statement": [
{
"Sid": "Allow get requests originated from list",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::SOURCEBUCKET/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.domain1.com/*",
"https://www.domain2.com/*",
"http://domain3.com/*"
]
}
}
}
]
}
and my destination bucket policy is:-
{
"Version": "2008-10-17",
"Id": "S3-Console-Replication-Policy",
"Statement": [
{
"Sid": "S3ReplicationPolicyStmt1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MYSOURCEACCIDNUMBER:root"
},
"Action": [
"s3:List*",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning",
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": [
"arn:aws:s3:::DESTINATIONBUCKET",
"arn:aws:s3:::DESTINATIONBUCKET/*"
]
}
]
}
Can anyone advise me on how I can (if I need to) add to the source bucket policy that will enable access from the destination bucket? I'm pretty confident the issue is here.
Thanks in advance.
回答1:
To test this situation, I did the following:
- Created
Bucket-AinAccount-Awith versioning - Created
Bucket-BinAccount-Bwith versioning - Configured Cross-Region Replication on
Bucket-A, selecting "Create new role" (see below) - Added the destination bucket policy provided in the UI (matching yours, above) to
Bucket-B
The process created a role called s3crr_role_for_bucket-a_to_bucket-b that contains:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-a",
"arn:aws:s3:::bucket-a/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
"s3:GetObjectVersionTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-b/*"
}
]
}
I then uploaded a file to Bucket-A and it successfully replicated to Bucket-B.
So, the process seems to work fine. If you are having difficulties, some thoughts are:
- Make sure there are no policies that might be applying a
DENYagainst the bucket - Check the IAM Role that was assigned to CRR and ensure it is granting permissions as shown above
- Check Troubleshooting Cross-Region Replication - Amazon Simple Storage Service
- See also Cross-Region Replication Status Information - Amazon Simple Storage Service
回答2:
Letting the replication rule setup create the new IAM role also worked for me when the identical manually created policy was failing. When comparing the auto-created role and my manually created role, the difference was the working autocreated role was a service-role and my nonworking role was an instance-role.
Double check the IAM role used on the source bucket for replication is a service role or regular role, but NOT an instance profile role.
来源:https://stackoverflow.com/questions/55108781/cant-get-amazon-s3-cross-region-replication-between-two-accounts-to-work