Login/Register
AWS Datasync S3 -> S3 cross account, confused about destination role/account
Asked Answered
Solved amazon-web-servicesamazon-s3aws-datasync
C

6

7

I want to use Datasync to copy data from a single S3 bucket in one account to a single S3 bucket in another account. I'm following this official AWS Datasync blog: https://aws.amazon.com/blogs/storage/how-to-use-aws-datasync-to-migrate-data-between-amazon-s3-buckets/ in the second section "Copying objects across accounts".

I've set up the source and destination buckets, and

  • done the initial steps to "Create a new IAM role and attach a new IAM policy for the source S3 bucket location" and
  • "Add the following trust relationship to the IAM role" (you can see where I mean in the blog by searching for those strings in quotes) but
  • I'm now confused about which account to use to "Open the source S3 bucket policy and apply the following policy to grant permissions for the IAM role to access the objects" and
  • which account to use to run the AWS CLI command "aws sts get-caller-identity" and
  • then the "aws datasync create-location-s3" command straight after that. Am I doing those on the source or destination accounts?

The blog is a bit confusing and unclear on those specific steps and I can't find a simpler guide anywhere.

Codger answered 17/8, 2021 at 17:30 Comment(1)
same issue hereMedicament
A
3

The source S3 bucket policy is attached to the source S3 bucket, so you'll need to log into the source account to edit that.

The next steps have to be done from the CLI. The wording is a bit ambiguous but the key phrase is "ensure you’re using the same IAM identity you specified in the source S3 bucket policy created in the preceding step." The IAM identity referenced in the example S3 bucket policy is arn:aws:iam::DEST-ACCOUNT-ID:role/DEST-ACCOUNT-USER so you need to be authenticated to the destination account for the CLI steps. The aws sts get-caller-identity command just returns the identity used to execute the command, so it's there to confirm that you're using the expected identity rather than being strictly required for setting up the datasync location.

It's not explicitly mentioned in the tutorial but of course the user in the destination account needs appropriate IAM permissions to create the datasync locations and task.

It may help to think of it this way: you need to allow a role in the destination account to access the bucket in the source account, then you're setting up the Datasync locations and tasks in the destination account. So anything related to Datasync config needs to happen in the destination account.

Auditor answered 18/8, 2021 at 0:17 Comment(8)
thank you, that got me a lot further. Having logged into the destination account via the CLI as the dest account user, and run the command given in the blog: aws datasync create-location-s3 --s3-bucket-arn arn:aws:s3:::SOURCEBUCKET --s3-config '{"BucketAccessRoleArn":"arn:aws:iam::DEST-ACCOUNT-ID:role/DEST-ACCOUNT-ROLE"}' the response I get is: An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: Please provide a bucket in the sa-east-1 region where DataSync is currently used. Blog says specify source bucket, which I did. Any thoughts please?Codger
Is sa-east-1 the default region for the credentials you're using? S3 buckets have a "home" region. I think you need to specify the region for the S3 source bucket using the --region option for aws datasync create-location-s3Auditor
same issue for me nothing described actually works.Medicament
@Medicament Hard to help if we don't have an error message to work with, can you be more specific about what you're seeing? Are you getting the region error that Alex described?Auditor
I added the error below. None of the suggestions above actually work when the description is followed to the dot. Clearly, some unmentioned configs/actions are set that allow the creation of a LocationS3 via the destination account. Please don't suggest adding the region flag again.Medicament
@Medicament Make sure that both the role you create in the destination account and the user you're using to execute the create-location-s3 command are listed in the source bucket policy. The user ARN is returned from the aws sts get-caller-identity command. Both the role and the user need to be in the source bucket policy. When I omitted the user ARN, I got the "please provide a bucket in the xxx region" error even though I specified the source bucket home region with the --region option.Auditor
Thanks for this answer @jscott. I ran into a similar problem when following the tutorial at docs.aws.amazon.com/datasync/latest/userguide/…. I saw "An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: DataSync location access test failed: could not perform s3:HeadBucket on bucket 829423945581-strapi-en-media-library. Access denied. Ensure bucket access role has s3:ListBucket permission.". I had to run the CLI command while logged in as a user that had assumed the role created in Step 1 of the tutorial.Dominga
AWS also mentions this at docs.aws.amazon.com/datasync/latest/userguide/…Dominga
P
2

For me this did the trick but then I got another error

An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: DataSync location access test failed: could not perform s3:GetObject in bucket some-bucket. Access denied. Ensure bucket access role has s3:GetObject permission.

Even though the permissions were correctly set on the bucket/role. The problem was that the bucket was encrypted as well with a KMS key which I easily solved with the solution be found here.
I wish I have seen my answer here as I would have spent at least 1 hour less debugging

Particle answered 19/1, 2023 at 22:28 Comment(0)
M
1

DOES NOT WORK! - https://aws.amazon.com/blogs/storage/how-to-use-aws-datasync-to-migrate-data-between-amazon-s3-buckets/

1) DESTINATION ROLE

  • create the necessary IAM roles in the account where the destination S3 bucket is located
  • Log in to the destination account and create an IAM role for the AWS DataSync
  DESTINATION-ROLE:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - datasync.amazonaws.com
      Path: '/'
      RoleName: DESTINATION-ROLE
  DESTINATION-POLICY:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: DESTINATION-POLICY
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - s3:GetBucketLocation
              - s3:ListBucket
              - s3:ListBucketMultipartUploads
            Effect: Allow
            Resource: arn:aws:s3:::SOURCEBUCKET
          - Action:
              - s3:AbortMultipartUpload
              - s3:DeleteObject
              - s3:GetObject
              - s3:ListMultipartUploadParts
              - s3:PutObjectTagging
              - s3:GetObjectTagging
              - s3:PutObject
            Effect: Allow
            Resource: arn:aws:s3:::SOURCEBUCKET/*
      Roles:
        - Ref: DESTINATION-ROLE

2) SOURCE S3 POLICY

  • "Copy the ARN for the IAM role you created for the source S3 bucket location.
  • Now, log in to the source account.
  • Open the source S3 bucket policy and apply the following policy to grant permissions for the IAM role
Version: '2012-10-17'
Statement:
  - Sid: BucketPolicyForDataSync
    Effect: Allow
    Principal:
      AWS:
        - arn:aws:iam::DEST-ACCOUNT-ID:role/DESTINATION-ROLE
    Action:
      - s3:GetBucketLocation
      - s3:ListBucket
      - s3:ListBucketMultipartUploads
      - s3:AbortMultipartUpload
      - s3:DeleteObject
      - s3:GetObject
      - s3:ListMultipartUploadParts
      - s3:PutObject
      - s3:GetObjectTagging
      - s3:PutObjectTagging
    Resource:
      - arn:aws:s3:::SOURCEBUCKET
      - arn:aws:s3:::SOURCEBUCKET/*

3) CLI INVOKATION

  • Now, launch the AWS CLI (from the source account)...
aws datasync create-location-s3                       \
    --s3-bucket-arn    'arn:aws:s3:::SOURCEBUCKET'    \
    --region           'us-east-1'                    \
    --s3-config '
        {
            "BucketAccessRoleArn":
                "arn:aws:iam::DEST-ACCOUNT-ID:role/DESTINATION-ROLE"
        }
    '

3.1) ERROR Source Account

An error occurred (AccessDeniedException) when calling the CreateLocationS3 operation: Cross-account pass role is not allowed.

3.2) ERROR Destination Account

An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: Please provide a bucket in the us-east-1 region where DataSync is currently used.
Medicament answered 3/9, 2021 at 15:5 Comment(2)
The Error I get is: "Invalid request provided: Please provide a bucket in the us-east-1 region where DataSync is currently used." Although, it is deployed in us-east-1 in de destination accountMedicament
If it does not work... delete it?Calash
E
1

If you are running this via AWS CLI using your own AWS user credentials for the source account, make sure that your user is granted ListBucket permissions in the destination bucket permissions. (You will probably add this from the AWS console in the destination account):

{
  "Sid": "UserDataSyncCreateS3Location",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::112233445566:user/my-user-name"
  },
  "Action": "s3:ListBucket",
  "Resource": "arn:aws:s3:::this-destination-bucket"
}
Egide answered 27/4, 2023 at 23:29 Comment(0)
I
0

I had the same issue and got a fix tho I was receiving the same error message

"An error occurred (InvalidRequestException) when calling the CreateLocationS3 operation: Please provide a bucket in the us-east-2 region where DataSync is currently used".

You need to pass the --region flag and and put the region in which the source bucket is located. So look at the source bucket view and get the region.

Isoagglutinin answered 4/9, 2021 at 15:56 Comment(6)
I added --region and it still does not work. attempting this in destination account using source bucket region and destination access roleMedicament
@bad_coder, clearly, adding the region flag does not cut itMedicament
@Medicament I just edited the post on the review queue this is not my area of expertise.Juliojulis
>> SOLUTION << The role deploying this needs to have at least s3:ListBucket permissions in the SourceS3PolicyMedicament
@Medicament thank you so much! Your comment above saved me. Stupid error from AWS is so confusing and very unhelpfulAmberly
@Medicament can you elaborate more on how you solved it? What you mean by "The role deploying" is it the user that executing the command or which role? I tried a dozen combinations and I still get the cross-account pass role is not allowed error.Slovakia
I
0

What I saw works was to:

  1. Run the CLI command in the destination account
  2. When you are running the CLI command, you should make sure that the ARN of the user/botocore session with which you are running the CLI command has access to the source bucket with, as said by @gph, at least s3:ListBucket. What I found tricky: in case you do not run the CLI command with a user, but using some roles, you need to make sure to grant permission to the botocore session after assuming a role in the source account. Of course, the permission is as short-lived as the botocore session duration, but at least it helps you create the location if you don't want to log in with an IAM user.
Insufficient answered 5/1, 2022 at 14:24 Comment(2)
I'm running the CLI using roles. You said I should grant permission to the botocore session... But how can I find the botocore session arn?Fredfreda
docs.aws.amazon.com/cli/latest/reference/sts/…Insufficient

© 2022 - 2024 — McMap. All rights reserved.