S3存储桶间内容同步/复制由很多方案,之前介绍过Data Transfer Hub方案,有点过于沉重,S3复制服务需要开启s3版本控制。本例介绍另外一种方案,使用DataSync服务。
本次实验架构图
本次实验具体架构图如下:
前期准备
账号A:账户ID为:AAAA-AAAA-AAAA,包含存储账户garydes。
账户B:账户ID为:BBBB-BBBB-BBBB,包含存储账户iacstorage。
Tips: 存储桶为默认配置,禁止公网访问
1. 使用CLI命令在账号A创建IAM角色
创建DataSync策略文件
cat > DataSync-Policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datasync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
在CLI中创建IAM role,role名称为datasyncs3bucketcopyrole
aws iam create-role --role-name datasyncs3bucketcopyrole \
--assume-role-policy-document file://DataSync-Policy.json \
--region cn-northwest-1
记录创建后的输出文件
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "datasync.amazonaws.com"
}
}
]
},
"RoleId": "AROATFSKELFZMJCKCEB2C",
"CreateDate": "2023-02-23T08:14:55Z",
"RoleName": "datasyncs3bucketcopyrole",
"Path": "/",
"Arn": "arn:aws-cn:iam::AAAAAAAAAAAA:role/datasyncs3bucketcopyrole"
}
}
创建S3附加策略文件
cat > attachment-s3-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Effect": "Allow",
"Resource": "arn:aws-cn:s3:::iacstorage"
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Effect": "Allow",
"Resource": "arn:aws-cn:s3:::iacstorage/*"
}
]
}
EOF
创建策略文件
aws iam create-policy --policy-name copypolicy \
--policy-document file://attachment-s3-policy.json \
--region cn-northwest-1
输出为:
{
"Policy": {
"PolicyName": "copypolicy",
"PermissionsBoundaryUsageCount": 0,
"CreateDate": "2023-02-23T09:54:18Z",
"AttachmentCount": 0,
"IsAttachable": true,
"PolicyId": "ANPATFSKELFZDATX2N2Z6",
"DefaultVersionId": "v1",
"Path": "/",
"Arn": "arn:aws-cn:iam::AAAAAAAAAAAA:policy/copypolicy",
"UpdateDate": "2023-02-23T09:54:18Z"
}
}
将策略附加到datasyncs3bucketcopyrole
aws iam attach-role-policy \
--policy-arn arn:aws-cn:iam::AAAAAAAAAAAA:policy/copypolicy \
--role-name datasyncs3bucketcopyrole --region cn-northwest-1
此外,还附加一个AdministratorAccess策略。
2. 在账户B中禁用S3存储桶iacstorage的ACL
在S3 portal上,选择存储桶,点击需要编辑的存储桶
在S3页面,选择Permissions(权限)标签,向下拉,在Object Owner(对象所有权),编辑关闭ACL(Disabled)
3. 更新账户B中S3存储桶的策略
在S3的Permissions(权限)页面上,找到Bucket policy (存储桶策略),选择编辑
在权限编辑页面,添加如下代码后,点击保存
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "DataSyncCreateS3LocationAndTaskAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-cn:iam::AAAAAAAAAAAA:role/datasyncs3bucketcopyrole"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObjectTagging",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws-cn:s3:::iacstorage",
"arn:aws-cn:s3:::iacstorage/*"
]
},
{
"Sid": "DataSyncCreateS3Location",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-cn:iam::AAAAAAAAAAAA:user/garyguo"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws-cn:s3:::iacstorage"
}
]
}
如下图所示:
Tips:本例使用AWS中国区,IAM role以及S3的ARN使用aws-cn。
4. 使用CLI在account A中的DataSync服务中创建目标位置
使用以下命令在账户A中创建DataSync服务的目标位置:
aws datasync create-location-s3 \
--s3-bucket-arn arn:aws-cn:s3:::iacstorage \
--region cn-northwest-1 \
--s3-config '{"BucketAccessRoleArn":"arn:aws-cn:iam::AAAAAAAAAAA:role/datasyncs3bucketcopyrole"}'
Tips:本例使用AWS中国区,IAM role以及S3的ARN使用aws-cn。
输出结果为:
{
"LocationArn": "arn:aws-cn:datasync:cn-northwest-1:AAAAAAAAAAAA:location/loc-09f6450104f8e4b3c"
}
在DataSync portal页面上,选择位置,可以看到目标位置已经创建
5. 在账户A中创建并启动DataSync同步任务
在DataSync portal页面上,选择任务->创建任务
在配置源位置,选择创建新位置,填写如下信息后,点击下一步
位置类型:Amazon S3
S3存储桶为:garytestnx
IAM角色:点击自动生成
在配置目标位置页面,选中选择现有位置,在现有位置选择步骤4中的目标位置,点击下一步
在配置设置页面,输入任务名称,在任务日志记录组中,点击自动生成,其余保持默认,点击下一步
在审核页面,检查无误后,点击创建任务,创建成功后,可以看到如下任务
选中这个任务,点击操作,选择开始
在目的s3存储桶中,可以看到相应的对象。
本次实验结束
