https://dev.classmethod.jp/articles/s3-multi-region-access-points/
-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 2. S3 バケットを作成する
aws s3 mb s3://bucket123-01 --region ap-northeast-1
aws s3 mb s3://bucket123-02 --region us-east-1
aws s3 ls
-- 3. マルチリージョンアクセスポイントの作成
※マルチリージョンアクセスポイント関連のアクションは US West (Oregon) Region へルーティングされる
export AWS_DEFAULT_REGION=us-west-2
aws s3control list-multi-region-access-points \
--account-id 999999999999
aws s3control get-multi-region-access-point \
--account-id 999999999999 \
--name bucket123-mrap
aws s3control create-multi-region-access-point --account-id 999999999999 --details '{
"Name": "bucket123-mrap",
"PublicAccessBlock": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
},
"Regions": [
{ "Bucket": "bucket123-01" },
{ "Bucket": "bucket123-02" }
]
}'
export AWS_DEFAULT_REGION=ap-northeast-1
※時間がすこしかかる
-- 4. バケットバージョニングの有効化
aws s3api get-bucket-versioning \
--bucket bucket123-01
aws s3api get-bucket-versioning \
--bucket bucket123-02
aws s3api put-bucket-versioning \
--bucket bucket123-01 \
--versioning-configuration Status=Enabled
aws s3api put-bucket-versioning \
--bucket bucket123-02 \
--versioning-configuration Status=Enabled
-- 5. ポリシーの作成
-- 5.1 バケット bucket123-01用
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging"
],
"Resource":[
"arn:aws:s3:::bucket123-01/*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetReplicationConfiguration"
],
"Resource":[
"arn:aws:s3:::bucket123-01"
]
},
{
"Effect":"Allow",
"Action":[
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Resource":"arn:aws:s3:::bucket123-02/*"
}
]
}
aws iam create-policy \
--policy-name policy01 \
--policy-document file://policy01.json
-- 5.2 バケット bucket123-02用
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging"
],
"Resource":[
"arn:aws:s3:::bucket123-02/*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetReplicationConfiguration"
],
"Resource":[
"arn:aws:s3:::bucket123-02"
]
},
{
"Effect":"Allow",
"Action":[
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Resource":"arn:aws:s3:::bucket123-01/*"
}
]
}
aws iam create-policy \
--policy-name policy02 \
--policy-document file://policy02.json
-- 6. ロールの作成
-- 6.1 バケット bucket123-01用
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"s3.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}
aws iam create-role \
--role-name role01 \
--assume-role-policy-document file://role01.json
-- 6.2 バケット bucket123-02用
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"s3.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}
aws iam create-role \
--role-name role02 \
--assume-role-policy-document file://role02.json
-- 7. ポリシーをロールにアタッチ
-- 7.1 バケット bucket123-01用
aws iam attach-role-policy --policy-arn arn:aws:iam::999999999999:policy/policy01 --role-name role01
-- 7.2 バケット bucket123-02用
aws iam attach-role-policy --policy-arn arn:aws:iam::999999999999:policy/policy02 --role-name role02
-- 8. レプリケーションルールの作成
-- 8.1 バケット bucket123-01用
aws s3api get-bucket-replication \
--bucket bucket123-01
vi rep01.json
{
"Role": "arn:aws:iam::999999999999:role/role01",
"Rules": [
{
"ID": "rep01",
"Status": "Enabled",
"Priority": 1,
"DeleteMarkerReplication": { "Status": "Disabled" },
"Filter" : { "Prefix": ""},
"Destination": {
"Bucket": "arn:aws:s3:::bucket123-02"
}
}
]
}
aws s3api put-bucket-replication \
--bucket bucket123-01 \
--replication-configuration file://rep01.json
-- 8.2 バケット bucket123-02用
aws s3api get-bucket-replication \
--bucket bucket123-02
vi rep02.json
{
"Role": "arn:aws:iam::999999999999:role/role02",
"Rules": [
{
"ID": "rep02",
"Status": "Enabled",
"Priority": 1,
"DeleteMarkerReplication": { "Status": "Disabled" },
"Filter" : { "Prefix": ""},
"Destination": {
"Bucket": "arn:aws:s3:::bucket123-01"
}
}
]
}
aws s3api put-bucket-replication \
--bucket bucket123-02 \
--replication-configuration file://rep02.json
-- 9. 動作確認
dd if=/dev/urandom of=200M.dmp bs=1M count=200
time aws s3api put-object --bucket bucket123-01 --key 01/200M.dmp --body 200M.dmp
real 0m3.078s
time aws s3api put-object --bucket bucket123-02 --key 02/200M.dmp --body 200M.dmp
real 0m17.317s
time aws s3api put-object --bucket arn:aws:s3::999999999999:accesspoint/m36apiec7aobq.mrap --key mrap/200M.dmp --body 200M.dmp
real 0m3.712s
aws s3 ls s3://bucket123-01 --recursive
aws s3 ls s3://bucket123-02 --recursive
aws s3api head-object --bucket bucket123-01 --key mrap/200M.dmp
aws s3api head-object --bucket bucket123-02 --key mrap/200M.dmp
-- 10. クリーンアップ
-- ロールの一覧
aws iam list-roles | grep role01
aws iam list-roles | grep role02
-- ロールの削除
aws iam detach-role-policy \
--role-name role01 \
--policy-arn arn:aws:iam::999999999999:policy/policy01
aws iam detach-role-policy \
--role-name role02 \
--policy-arn arn:aws:iam::999999999999:policy/policy02
aws iam delete-role --role-name role01
aws iam delete-role --role-name role02
-- ポリシーの一覧
aws iam list-policies | grep policy01
aws iam list-policies | grep policy02
-- ポリシーの削除
aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01
aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy02
-- マルチリージョンアクセスポイントの削除
export AWS_DEFAULT_REGION=us-west-2
aws s3control list-multi-region-access-points \
--account-id 999999999999
aws s3control delete-multi-region-access-point \
--account-id 999999999999 \
--details '{
"Name": "bucket123-mrap"
}'
export AWS_DEFAULT_REGION=ap-northeast-1
※時間がすこしかかる
-- 全バージョンの削除
aws s3api list-object-versions \
--bucket bucket123-01
aws s3api delete-object \
--bucket bucket123-01 \
--key 01/200M.dmp \
--version-id "8otW.nYHyS5BSy4ERDRZnnoJfrwpMuJg"
aws s3api delete-object \
--bucket bucket123-01 \
--key 02/200M.dmp \
--version-id "Dj8IpVSX1x67IBUxI66BQbRnwz5ixMJc"
aws s3api delete-object \
--bucket bucket123-01 \
--key mrap/200M.dmp \
--version-id "5vOfRDq4AdaFAqLREXu6eYlQygFRLyLk"
aws s3api list-object-versions \
--bucket bucket123-02
aws s3api delete-object \
--bucket bucket123-02 \
--key 01/200M.dmp \
--version-id "8otW.nYHyS5BSy3ERRRZnnoJfrwpMuJg"
aws s3api delete-object \
--bucket bucket123-02 \
--key 02/200M.dmp \
--version-id "Dj8IpVSX1x67IBUxI55BQbRnwz9ixMJc"
aws s3api delete-object \
--bucket bucket123-02 \
--key mrap/200M.dmp \
--version-id "5vOfRDq1AdaVAqLREXu6eYlQygFRLyLk"
aws s3 rb s3://bucket123-01 --force
aws s3 rb s3://bucket123-02 --force
