S3 console Copy/Paste forbidden after s3cmd PUT from another account

Question

Let's say i have 2 aws accounts: Account1 and AccountZ
I installed and configured s3cmd to have access to Account1.
I created a bucket in AccountZ and made it publicly read/write
I performed an s3cmd put of a text.txt from Account1 to s3://AccountZ/test.txt
Then, after it uploaded, I tried to copy paste AccountZ/test.txt to a different bucket, and it says that there was an error ("The following objects were not copied due to errors from: <AccountZ folder>"). So, I tried to change the permissions to the file, and it says I dont have permissions to do that.
If "upload" a file using the S3 console into AccountZ target directory, that resulting file IS copy/paste-able. So there seems to be an issue with the uploaded file due to the PUT
If i change the permissions config of s3cmd to be the key/secret of AccountZ, then uploaded file's permissions work just fine and the copy/paste command is successful.

How do I upload/PUT a file to S3 so that I can then copy/paste the resulting file in the S3 console?

"copy/paste" is an action in User Interface; what UI are you referring to? — Marcus Müller, Jun 01 '16 at 17:10
What is the permission on the bucket you are trying to copy paste AccountZ/test.txt file? — Piyush Patil, Jun 01 '16 at 17:16
@error2007s I dont understand what you mean by "ticket" -- but the resulting uploaded file AccountZ/test.txt file has No permissions at all. and It won't let me add permissions — Kristian, Jun 01 '16 at 17:20
@error2007s the target bucket has permissions of: [AnyAuthenticatedUser]-List,Upload/View,ViewPermissions — Kristian, Jun 01 '16 at 17:24
@error2007s "The following objects were not copied due to errors from: " — Kristian, Jun 01 '16 at 17:35
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/113559/discussion-between-error2007s-and-kristian). — Piyush Patil, Jun 01 '16 at 17:40
This might be helpful too regarding the METADATA http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html — Piyush Patil, Jun 01 '16 at 18:11

score 2 · Answer 1 · answered Jun 01 '16 at 19:42

When an object is uploaded to S3, the owner of the object is the account that created it. In this case, the owner of the object is Account1, even though the bucket exists in AccountZ. The default permissions on the object only allow it to be modified by the owner of the object (Account1). The only thing that AccountZ will be able to do with the object is delete it.

When you create a bucket policy, that policy will automatically apply to any objects in the bucket that are 'owned' by the same account that owns the bucket. Since AccountZ owns the bucket and Account1 owns the object, the bucket policy of public read/write isn't going to apply here.

Try specifying an ACL (eg 'public-read-write') when the object is uploaded. If you need to modify an object that has already been uploaded, try the PutObjectAcl call from the S3 API using Account1's credentials. (http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUTacl.html)

score 0 · Answer 2 · answered Jun 01 '16 at 23:03

In a similar strategy to what @ScottWolf proposed, I had to do the following to solve my problem:

The solution was that I had to go add a bucket policy in the source data bucket (Account1) that gave permissions to the target. then i had to re-configure my s3 api to use AccountZ's credentials and then just do a copy from Account1 to AccountZ

S3 console Copy/Paste forbidden after s3cmd PUT from another account

2 Answers2