Fixing S3 anonymously owned objects for full cross account access

"Principal": "*"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicPutObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
},
{
"Sid": "AllowAccessOurAccounts",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<ACCT_1_ID>:root",
"arn:aws:iam::<ACCT_2_ID>:root"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET_NAME>",
"arn:aws:s3:::<BUCKET_NAME>/*"
]
}
]
}
aws s3 cp s3://${BUCKET}/${OBJ_KEY} .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
aws --profile ${ACCT_1} s3 cp s3://${BUCKET}/${OBJ_KEY} .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
aws s3api get-object-acl --bucket ${BUCKET} --key ${OBJ_KEY}An error occurred (AccessDenied) when calling the GetObjectAcl operation: Access Denied
➜ aws --profile ${ACCT_1} s3api get-object-acl --bucket ${BUCKET} --key ${OBJ_KEY}An error occurred (AccessDenied) when calling the GetObjectAcl operation: Access Denied
aws s3api list-objects --bucket ${BUCKET} --query 'Contents[*].{Name:"Key",ID:Owner.ID,Class:StorageClass}'| grep -B1 -A3 ${OBJ_KEY}    {
"Name": "<OBJ_KEY_NAME>",
"ID": null,
"Class": "STANDARD"
},
aws --profile ${ACCT_1} s3api list-objects --bucket ${BUCKET} --query 'Contents[*].{Name:"Key",ID:Owner.ID,Class:StorageClass}'| grep -B1 -A3 ${OBJ_KEY}
{
"Name": "<OBJ_KEY_NAME>",
"ID": "65a011a29cdf8ec533ec3d1ccaae921c",
"Class": "STANDARD"
},
aws s3api put-object-acl --bucket ${BUCKET} --acl bucket-owner-full-control --key ${OBJ_KEY}An error occurred (AccessDenied) when calling the PutObjectAcl operation: Access Denied
aws --profile ${ACCT_1} s3api put-object-acl --bucket ${BUCKET} --acl bucket-owner-full-control --key ${OBJ_KEY}An error occurred (AccessDenied) when calling the PutObjectAcl operation: Access Denied
aws s3api put-object-acl --bucket ${BUCKET} --acl bucket-owner-full-control --key ${OBJ_KEY} --no-sign-request
aws s3api get-object-acl --bucket ${BUCKET} --key ${OBJ_KEY}An error occurred (AccessDenied) when calling the GetObjectAcl operation: Access Denied
➜ aws --profile ${ACCT_1} s3api get-object-acl --bucket ${BUCKET} --key ${OBJ_KEY}
{
"Owner": {
"ID": "65a011a29cdf8ec533ec3d1ccaae921c"
},
"Grants": [
{
"Grantee": {
"ID": "65a011a29cdf8ec533ec3d1ccaae921c",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee": {
"DisplayName": "<YOUR_ACCOUNT_NAME>",
"ID": "<YOUR_ACCOUNT_ID>",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
aws s3 cp s3://${BUCKET}/2258/scripts-2.17.0.11-RELEASE.zip .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
aws --profile ${ACCT_1} s3 cp s3://${BUCKET}/${OBJ_KEY} .
download: s3://<BUCKET>/<OBJ_KEY> to ./<FILENAME>
aws --profile ${ACCT_1} s3 cp s3://${BUCKET}/${OBJ_KEY} s3://${BUCKET}/${OBJ_KEY} --storage-class STANDARD
aws s3 cp s3://${BUCKET}/${OBJ_KEY} .
download: s3://<BUCKET>/<OBJ_KEY> to ./<FILENAME>
aws s3api list-objects --bucket ${BUCKET} --query 'Contents[*].{Name:"Key",ID:Owner.ID,Class:StorageClass}'| grep -B1 -A3 ${OBJ_KEY}
{
"Name": "<OBJ_KEY>",
"ID": "<ACCT_1_OWNER_ID>",
"Class": "STANDARD"
},
aws s3api get-object-acl --bucket ${BUCKET} --key ${OBJ_KEY}
{
"Owner": {
"DisplayName": "<ACCT_1_OWNER_NAME>",
"ID": "<ACCT_1_OWNER_ID>"
},
"Grants": [
{
"Grantee": {
"DisplayName": "<ACCT_1_OWNER_NAME>",
"ID": "<ACCT_1_OWNER_ID>",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Lumen Custom Form Request Implementation

Dlithe 18/04/2022 Experience

BIOS for Beginners

Coding Problems Store- Python Problems 3

What is AWS ?— An Introduction to AWS

Technical Debt: How to Identify, Plan and Deliver Debt Changes

VME2E s01e06: Live Migrations

Advice I Wish I Was Given Pre-CS Major

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joe Tavin

Joe Tavin

DevOps

More from Medium

Hibernate Your EC2 Instances 💤

Make your computer generate passive income while you sleep

Perimeter security with Fastly edge and AWS — Part I