Boto3: s3.copy with SourceClient not working if we use different account .
self.source_session = boto3.session.Session ( profile_name='account1' )
self.source_conn = self.source_session.resource('s3')
self.src_conn = self.source_session.client('s3')
self.dest_session = boto3.session.Session ( profile_name='account2' )
self.dest_conn = self.dest_session.client ( 's3' )
k = self.source_conn.Object(srcBucketName, key_name)
print 'copy: ' + k.key
copy_source = { 'Bucket': srcBucketName , 'Key': k.key }
self.dest_conn.copy ( copy_source, dstBucketName , k.key, SourceClient = self.src_con)
Error -
ClientError: An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied
lokureddy
All 8 comments
You will still need the main client to have permission to copy the objects in the source account. The source client is used for listing / describing the source objects.
JordonPhillips
on 16 Oct 2017
Can you provide example of copy command to use two main clients ?
lokureddy
on 16 Oct 2017
@lokureddy Here's an example of granting cross account permissions. The client you call copy with needs to have GetObject permissions at least for the objects in question.
JordonPhillips
on 23 Oct 2017
To be clear, your code is perfectly fine. You can also use a single client if you would prefer, though you would need to give it permission to call HeadObject as well:
sess = boto3.session.Session('account2')
s3 = sess.client('s3')
copy_source = {'Bucket': 'source-bucket', 'Key': 'source-key'}
s3.copy(copy_source, 'dest-bucket', 'key')
Thanks .. got it .. s3_copy only work if both buckets can access with single key . I modified my script to download and copy instead of copy from bucket to bucket .
lokureddy
on 24 Oct 2017
Yes, you do need to have a single set of credentials that can access the object in the source bucket and the object in the destination bucket. The benefit of the source client is delegating away listing / heading objects.
JordonPhillips
on 13 Nov 2017
This tutorial worked for me https://blog.vizuri.com/how-to-copy/move-objects-from-one-s3-bucket-to-another-between-aws-accounts . I needed a policy in the s3 source bucket and a role-policy in the destination account with both the source and the destination buckets as resources. In other cases the error is more meaningful and related to the needed policies but just a CopyDenied error is a bit confuse
d4n13lbc
on 2 Aug 2018
The documentation for SourceClient is quite vague:
The client to be used for operation that may happen at the source object. For example, this client is used for the head_object that determines the size of the copy.
A user might reasonably infer that the SourceClient is used for reading the source object.
After reading issues/1310 (_this_ issue), it seems to me that the official boto3 documentation is deficient and misleading. If the underlying client/session credentials are used to both read the source objects _and_ write the target objects, rather than SourceClient being used for the former, then the documentation would ideally state this very clearly. Would you consider updating the documentation to clarify this?
john-aws
on 31 May 2019
Related issues
raolivei
路
3Comments
hwine
路
3Comments
leima965
路
3Comments
luistm
路
3Comments
darkmeadow
路
3Comments
Most helpful comment
The documentation for
SourceClientis quite vague:A user might reasonably infer that the
SourceClientis used for reading the source object.After reading issues/1310 (_this_ issue), it seems to me that the official boto3 documentation is deficient and misleading. If the underlying client/session credentials are used to both read the source objects _and_ write the target objects, rather than SourceClient being used for the former, then the documentation would ideally state this very clearly. Would you consider updating the documentation to clarify this?