Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to upload to S3 bucket owned by another AWS account even with write permissions #590

Closed
sarahwooders opened this issue Sep 30, 2022 · 1 comment
Closed

Unable to upload to S3 bucket owned by another AWS account even with write permissions #590

sarahwooders opened this issue Sep 30, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@sarahwooders
Copy link
Contributor

I have a case where AWS account A has read permissions to S3 bucket A, and is trying to write to S3 bucket B owned by AWS account B with read/write permission to A. The bucket policy says the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "...",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::B"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket",
                "arn:aws:s3:::bucket/*"
            ]
        }
    ]
}

Running skyplane cp -r s3://bucket-A/ s3://bucket-B/ throws the error

❌ AWSServer(region_tag=aws:us-east-1, instance_id=i-0c35275fe4ef69016) encountered error:
Traceback (most recent call last):
  File "/pkg/skyplane/gateway/gateway_obj_store.py", line 95, in worker_loop
    retry_backoff(
  File "/pkg/skyplane/utils/retry.py", line 30, in retry_backoff
    raise e
  File "/pkg/skyplane/utils/retry.py", line 27, in retry_backoff
    return fn()
  File "/pkg/skyplane/utils/imports.py", line 33, in wrapped
    return fn(*modules_imported, *args, **kwargs)
  File "/pkg/skyplane/obj_store/s3_interface.py", line 167, in upload_object
    s3_client.upload_part(
  File "/usr/local/lib/python3.10/site-packages/botocore/client.py", line 514, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.10/site-packages/botocore/client.py", line 938, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the UploadPart operation: Access Denied

The AWS CLI command aws cp --recursive s3://bucket-A/ s3://bucket-B/ works fine (authenticated with account A).

I looked into it a bit and it seems like multipart uploads require KMS permissions aws/aws-cli#4251. This might be a common use-case worth looking into.
@sarahwooders sarahwooders added the bug Something isn't working label Sep 30, 2022
@sarahwooders sarahwooders changed the title Unable to upload to another user's bucket Unable to upload to S3 bucket owned by another AWS account even with write permissions Sep 30, 2022
@sarahwooders
Copy link
Contributor Author

Closing since stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sarahwooders