Comments (4)
@gpip when copying S3 objects between S3 accounts, the object metadata will be lost if you "push" the file. Instead, you need to "pull" the object.
There are 2 ways to copy an object between AWS accounts:
- "Push" the object to the target account's bucket.
- Account B has the target bucket. You apply a bucket policy allowing Account A to write to the bucket.
- In the Lambda function, you're executing as Account A, and you perform the copy.
- "Pull" the object from the source account's bucket.
- Account A has the source bucket. You apply a bucket policy allowing Account B to read from the bucket.
- In the Lambda function, you're executing as Account B, and you perform the copy. This means you need to use credentials in your Lambda function aside from the role the lambda function is executing as.
In the "Pull" case, the metadata should be copied correctly. I've dealt with AWS support on this issue and they say that you need to "pull" the file rather than "push" it. I received no indication from them if this will ever change.
from aws-lambda-copy-s3-objects.
@mwhouser awesome! Indeed, I was using the push model. Do you remember how you configured the bucket on Account A for this? I have a policy in place for allowing a specific user to read the bucket on Account A from the Account B, but I probably need a different policy (or a different setup) in order to display that bucket when creating a S3 trigger for the lambda func.
from aws-lambda-copy-s3-objects.
I've configured the bucket on Account A to allow s3:Get*
and s3:ListBucket
for the lambda role in Account B. I also configured an event notification on the bucket on Account A to send it to lambda function, and this part is working. The lambda function is running on Account B and receiving the events, its role is configured to allow s3 operations but for some reason every execution fail due to access denied when trying to access the bucket on Account A.
I skipped the UI to configure the lambda function and instead used the aws cli for lambda add-permission --action "lambda:InvokeFunction" --principal s3.amazonaws.com --source-arn ... --source-account ...
and this part seems to be working, as it's triggering the lambda func on Account B based on events happening on the bucket on Account A.
from aws-lambda-copy-s3-objects.
Ah, the bucket was configured to allow s3:Get*
on bucketname/*
, I missed that for just bucketname
so get-bucket-tagging could run. Awesome, it's working now @mwhouser
from aws-lambda-copy-s3-objects.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-lambda-copy-s3-objects.