Search code examples
amazon-web-servicesamazon-s3file-permissions

Amazon S3 File Permissions, Access Denied when copied from another account

I have a set of video files that were copied from one AWS Bucket from another account to my account in my own bucket.

I'm running into a problem now with all of the files where i am receiving Access Denied errors when I try to make all of the files public.

Specifically, I login to my AWS account, go into S3, drill down through the folder structures to locate one of the videos files.

When I look at this specificfile, the permissions tab on the files does not show any permissions assigned to anyone. No users, groups, or system permissions have been assigned.

At the bottom of the Permissions tab, I see a small box that says "Error: Access Denied". I can't change anything about the file. I can't add meta-data. I can't add a user to the file. I cannot make the file Public.

Is there a way i can gain control of these files so that I can make them public? There are over 15,000 files / around 60GBs of files. I'd like to avoid downloading and reuploading all of the files.

With some assistance and suggestions from the folks here I have tried the following. I made a new folder in my bucket called "media".

I tried this command: 

aws s3 cp s3://mybucket/2014/09/17/thumb.jpg s3://mybucket/media --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers full=emailaddress=my_aws_account_email_address

I receive a fatal error 403 when calling the HeadObject operation: Forbidden.

Solution

  • A very interesting conundrum! Fortunately, there is a solution.

    First, a recap:

    • Bucket A in Account A
    • Bucket B in Account B
    • User in Account A copies objects to Bucket B (having been granted appropriate permissions to do so)
    • Objects in Bucket B still belong to Account A and cannot be accessed by Account B

    I managed to reproduce this and can confirm that users in Account B cannot access the file -- not even the root user in Account B!

    Fortunately, things can be fixed. The aws s3 cp command in the AWS Command-Line Interface (CLI) can update permissions on a file when copied to the same name. However, to trigger this, you also have to update something else otherwise you get this error:

    This copy request is illegal because it is trying to copy an object to itself without changing the object's metadata, storage class, website redirect location or encryption attributes.

    Therefore, the permissions can be updated with this command:

    aws s3 cp s3://my-bucket/ s3://my-bucket/ --recursive --acl bucket-owner-full-control --metadata "One=Two"
    • Must be run by an Account A user that has access permissions to the objects (eg the user who originally copied the objects to Bucket B)
    • The metadata content is unimportant, but needed to force the update
    • --acl bucket-owner-full-control will grant permission to Account B so you'll be able to use the objects as normal

    End result: A bucket you can use!