使用 Codebuild 将 DynamoDB 导出到 S3 到另一个帐户
Export DynamoDB to S3 to another account using Codebuild
我已经为 运行 以下命令创建了代码构建。
aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED \
--s3-bucket REDACTED \
--s3-bucket-owner REDACTED
我还创建了一个 service-role 并附加了以下内联策略。
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::REDACTED/*",
"arn:aws:s3:::REDACTED"
]
}
最后,我更新了 S3 存储桶以允许 service-role 写入存储桶:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:role/service-role/REDACTED"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::REDACTED/*",
"arn:aws:s3:::REDACTED"
]
}
]
}
代码构建正确调用命令,但由于权限原因导出失败。
[Container] 2022/03/08 11:50:42 Running command aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED \
--s3-bucket REDACTED \
--s3-bucket-owner REDACTED
{
"ExportDescription": {
"ExportArn": "arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED/export/REDACTED",
"ExportStatus": "IN_PROGRESS",
"StartTime": "2022-03-08T11:50:46.714000+00:00",
"TableArn": "arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED",
"TableId": "REDACTED",
"ExportTime": "2022-03-08T11:50:46.714000+00:00",
"ClientToken": "REDACTED",
"S3Bucket": "REDACTED",
"S3BucketOwner": "REDACTED",
"S3SseAlgorithm": "AES256",
"ExportFormat": "DYNAMODB_JSON"
}
}
[Container] 2022/03/08 11:50:46 Phase complete: BUILD State: SUCCEEDED
如果我从 AWS 控制台调用(即作为我的用户),我可以导出跨账户。但是使用代码构建和上面的命令,它失败了。
我错过了什么?
我解决了这个问题。
问题是在 aws dynamodb export-table-to-point-in-time CLI 命令中引用了错误的 accountId。
我已经为 运行 以下命令创建了代码构建。
aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED \
--s3-bucket REDACTED \
--s3-bucket-owner REDACTED
我还创建了一个 service-role 并附加了以下内联策略。
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::REDACTED/*",
"arn:aws:s3:::REDACTED"
]
}
最后,我更新了 S3 存储桶以允许 service-role 写入存储桶:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:role/service-role/REDACTED"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::REDACTED/*",
"arn:aws:s3:::REDACTED"
]
}
]
}
代码构建正确调用命令,但由于权限原因导出失败。
[Container] 2022/03/08 11:50:42 Running command aws dynamodb export-table-to-point-in-time \
--table-arn arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED \
--s3-bucket REDACTED \
--s3-bucket-owner REDACTED
{
"ExportDescription": {
"ExportArn": "arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED/export/REDACTED",
"ExportStatus": "IN_PROGRESS",
"StartTime": "2022-03-08T11:50:46.714000+00:00",
"TableArn": "arn:aws:dynamodb:REDACTED:REDACTED:table/REDACTED",
"TableId": "REDACTED",
"ExportTime": "2022-03-08T11:50:46.714000+00:00",
"ClientToken": "REDACTED",
"S3Bucket": "REDACTED",
"S3BucketOwner": "REDACTED",
"S3SseAlgorithm": "AES256",
"ExportFormat": "DYNAMODB_JSON"
}
}
[Container] 2022/03/08 11:50:46 Phase complete: BUILD State: SUCCEEDED
如果我从 AWS 控制台调用(即作为我的用户),我可以导出跨账户。但是使用代码构建和上面的命令,它失败了。
我错过了什么?
我解决了这个问题。
问题是在 aws dynamodb export-table-to-point-in-time CLI 命令中引用了错误的 accountId。