Nem nudom mennyire kuldheto be ide ez a problema de sajnos elegge a veget jarom mar az otleteimnek.
Adott egy syslog szerver ami gyujti a logokat. Logrotate-tel minden oraban a forgatott log file-okat feltoltom egy S3 bucket-be "A" account ala.
Ez eddig megy. Az S3 bucketen beallitottem egy policy-t hogy replikaljon "B" account ala (backup)
Namost ez a replikacio nem tortenik meg.
Mar hozzaadtam mindenki canonical ID-jet mindeket buckethez. Valtoztatasok utan uj teszt fajlokat hozok letre. Semmi hir.
aws s3api -val a replication status:failed uzenetnel messzebbre nem jutok.
Az external_account_who_write_the_files iam accountok azok amikben a syslog server van. Onnan tortenik az elso korben a feltoltes az "A" account ala.
Ez itt a source bucket Role-ja
```{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Sid": "AWSSourcebucketWrite20131101",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::external_account_who_write_the_files:root",
"arn:aws:iam::external_account_who_write_the_files:root",
"arn:aws:iam::external_account_who_write_the_files:root"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
```
Ez pedig a target bucket policy
```
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket-replication/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
},
"Bool": {
"aws:SecureTransport": "true"
}
}
},
{
"Sid": "Stmt123",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::source_bucket_account:root"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": "arn:aws:s3:::source-bucket-replication/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
```
Hozzászólások
Maganak az s3 service-nek adtal Assume Role-t? Anelkul nem fog menni.
Es ebbol neked az kell, amikor a source and backup bucket 2 kulon account ala van rendelve. (De gondolom mar olvastad)
https://docs.aws.amazon.com/AmazonS3/latest/dev/setting-repl-config-perm-overview.html
Igen az assume role policy be van allitva
AWS supporttal jók a tapasztalataim. :)
FAILED is a terminal state that occurs only due to permission failures or misconfiguration (such as recreation of the destination bucket without versioning)
A két bucket hasonló configgal van például ?