如果必须将文件从帐户A复制到帐户B，则在写入文件之前，应让帐户A在帐户B中扮演角色.如果由于某种原因您不能在帐户B中扮演某个角色，那么可以将访问权限设置为允许对存储桶拥有者进行完全控制:

If you have to copy a file from account A to account B, then you should have account A assume a role in account B before writing the file. If for some reason you can't assume a role in account B to do it, then you can set the access to allow full control to the bucket owner:

aws s3 cp --acl bucket-owner-full-control localFile s3://bucketname/path/filename

存储桶拥有者可以使用以下规则来强制执行此要求:

The bucket owner can enforce this requirement with the following rule:

{
    "Sid": "CrossAccountWritePermissionsDenier",
    "Effect": "Deny",
    "Principal": {
        "AWS": "arn-of-account-A-pusher"
    },
    "Action": [
        "s3:PutObject"
    ],
    "Resource": [
        "arn:aws:s3:::bucketname/path/given/access/*",
        "arn:aws:s3:::bucketname/other/path/given/access/*"
    ],
    "Condition": {
        "StringNotEquals": {
            "s3:x-amz-acl": "bucket-owner-full-control"
        }
    }
}

此方法的一个警告是，如果您拥有一个帐户C(读取者)，并且帐户B(存储桶拥有者)也被授予了帐户A(写入者)将文件推送到其中的路径的读取特权，则帐户C将无法读取帐户A推送的文件，因为它们实际上不是帐户B拥有的.这是您面临的问题.

One caveat to this approach is that if you have an account C (reader) which was also granted read privileges by account B (bucket owner) for the path that account A (writer) pushed a file into, then account C will not be able to read files pushed by account A since they aren't actually owned by account B. This is the issue you are facing.

如果在推送之前帐户A承担了帐户B的角色，则文件将由帐户B拥有，因此，帐户C将能够读取该文件.否则，帐户B将必须移动文件(因为帐户B具有完全访问权限)，然后帐户C将能够在其新位置读取文件.

If account A instead assumed a role in account B before pushing, then the file would be owned by account B, and therefore, account C would be able to read it. Otherwise, account B will have to move the file (since account B has full access) and then account C will be able to read the file in its new location.

理论上，您可以通过从存储桶所有者的角色将文件复制到自身来更改所有权:

In theory, you can change ownership by copying the file to itself from the bucket owner's role:

aws s3 cp s3://bucketname/path/filename s3://bucketname/path/filename

但是，除非您要进行某些更改(例如所有者，元数据，acl等)，否则它将不允许您执行此操作.因此，您只能从存储桶拥有者的角色执行此操作，而不能从原始(非存储桶拥有者)上传者的角色执行此操作.

It will not let you do this, however, unless you are changing something (such as the owner, metadata, acl, etc). So you can only do this from the bucket owner's role, not from the original (non-bucket-owner) uploader's role.