mirror of
https://github.com/RealOrangeOne/notes.git
synced 2024-12-22 12:05:58 +00:00
Expand on ACL issues
This commit is contained in:
parent
65e681742d
commit
4227e6da2f
1 changed files with 10 additions and 7 deletions
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
title: Cross-account data transfer
|
title: Cross-account data transfer in S3
|
||||||
tags:
|
tags:
|
||||||
- AWS
|
- AWS
|
||||||
sources:
|
sources:
|
||||||
|
@ -49,11 +49,14 @@ To copy bucket contents from a bucket in account A to a bucket in account B:
|
||||||
|
|
||||||
Now, you can run `aws s3 sync` as the account in account B, and access both buckets.
|
Now, you can run `aws s3 sync` as the account in account B, and access both buckets.
|
||||||
|
|
||||||
!!! warning
|
## ACLs
|
||||||
Whilst it might seem counter-intuitive, a **pull**-based transfer is significantly simpler than a **push**-based transfer. Notably, it avoids [issues](https://stackoverflow.com/a/63804619) with ownership issues and ACLs.
|
|
||||||
|
Whilst it might seem counter-intuitive, a **pull**-based transfer is significantly simpler than a **push**-based transfer. Notably, it avoids [issues](https://stackoverflow.com/a/63804619) with ownership issues and ACLs. Bucket policies don't seem to apply if the object is owned by a different account, which is the case when ACLs are enabled and the object is written by a user not in the organisation (hence pull-based being best).
|
||||||
|
|
||||||
These can be solved by overwriting the file's ACLs to enforce the bucket owner owns the file:
|
These can be solved by overwriting the file's ACLs to enforce the bucket owner owns the file:
|
||||||
|
|
||||||
```
|
```
|
||||||
aws s3 cp --recursive 's3://<destination_bucket>` 's3://<destination_bucket>` --acl bucket-owner-full-control --metadata-directive REPLACE
|
aws s3 cp --recursive 's3://<destination_bucket>` 's3://<destination_bucket>` --acl bucket-owner-full-control --metadata-directive REPLACE
|
||||||
```
|
```
|
||||||
|
|
||||||
|
It's then good practice to make sure the ACLs are as you expect (eg [`./manage.py fix_document_acls`](https://github.com/torchbox/wagtail-storages?tab=readme-ov-file#django-admin-fix_document_acls)).
|
Loading…
Reference in a new issue