From 4227e6da2ff047c5bebd56561bb2c4ad06601c72 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 21 Feb 2024 11:46:18 +0000 Subject: [PATCH] Expand on ACL issues --- ...transfer.md => s3-cross-account-transfer.md} | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) rename docs/notes/infrastructure/{cross-account-transfer.md => s3-cross-account-transfer.md} (53%) diff --git a/docs/notes/infrastructure/cross-account-transfer.md b/docs/notes/infrastructure/s3-cross-account-transfer.md similarity index 53% rename from docs/notes/infrastructure/cross-account-transfer.md rename to docs/notes/infrastructure/s3-cross-account-transfer.md index 62a4067..561d192 100644 --- a/docs/notes/infrastructure/cross-account-transfer.md +++ b/docs/notes/infrastructure/s3-cross-account-transfer.md @@ -1,5 +1,5 @@ --- -title: Cross-account data transfer +title: Cross-account data transfer in S3 tags: - AWS sources: @@ -49,11 +49,14 @@ To copy bucket contents from a bucket in account A to a bucket in account B: Now, you can run `aws s3 sync` as the account in account B, and access both buckets. -!!! warning - Whilst it might seem counter-intuitive, a **pull**-based transfer is significantly simpler than a **push**-based transfer. Notably, it avoids [issues](https://stackoverflow.com/a/63804619) with ownership issues and ACLs. +## ACLs - These can be solved by overwriting the file's ACLs to enforce the bucket owner owns the file: +Whilst it might seem counter-intuitive, a **pull**-based transfer is significantly simpler than a **push**-based transfer. Notably, it avoids [issues](https://stackoverflow.com/a/63804619) with ownership issues and ACLs. Bucket policies don't seem to apply if the object is owned by a different account, which is the case when ACLs are enabled and the object is written by a user not in the organisation (hence pull-based being best). - ``` - aws s3 cp --recursive 's3://` 's3://` --acl bucket-owner-full-control --metadata-directive REPLACE - ``` +These can be solved by overwriting the file's ACLs to enforce the bucket owner owns the file: + +``` +aws s3 cp --recursive 's3://` 's3://` --acl bucket-owner-full-control --metadata-directive REPLACE +``` + +It's then good practice to make sure the ACLs are as you expect (eg [`./manage.py fix_document_acls`](https://github.com/torchbox/wagtail-storages?tab=readme-ov-file#django-admin-fix_document_acls)).