Cross-Account Replication With the Wasabi S3 API

  • Updated on Apr 11, 2025
  • Published on Feb 28, 2025
  • 6 minute(s) read

Bucket-level cross-account replication enables you to utilize resources in different buckets across Wasabi account(s) for your web applications.

Scheduling a Cross-Account Replication Job

  1. Create a source bucket on account-1 and a destination bucket on account-2.

    Source-bucket : my-replication-source-account-1
    Source-bucket-arn: arn:aws:s3:::my-replication-source-account-1
    Destination – bucket: my-replication-destination-account-2
    Destination-bucket-arn: arn:aws:s3:::my-replication-destination-account-2

    Make sure both the source and destination buckets match the same bucket-property while scheduling the replication configuration.
        Non-versioned source —> Non-versioned destination
        Versioned source —> Versioned destination

  2. Create an IAM policy in account-1.

    Policy: My-Policy-Account-1
    Policy-Document:

    JSON

    {
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:ListBucket",
            "s3:GetReplicationConfiguration",
            "s3:GetObjectVersionForReplication",
            "s3:GetObjectVersionAcl",
            "s3:GetObjectVersionTagging",
            "s3:GetObjectRetention",
            "s3:GetObjectLegalHold"
         ],
         "Resource": [
            "arn:aws:s3:::my-replication-source-account-1",
            "arn:aws:s3:::my-replication-source-account-1/*",
            "arn:aws:s3:::my-replication-destination-account-2",
            "arn:aws:s3:::my-replication-destination-account-2/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ReplicateTags"
         ],
         "Resource": [
            "arn:aws:s3:::my-replication-source-account-1/*",
            "arn:aws:s3:::my-replication-destination-account-2/*"
         ]
      }
   ]}

  3. Create a role and attach the IAM policy (account-1).

    Role: My-Role-Account-1
    Role-Arn: arn:aws:iam::account-1-id:role/My-Role-Account-1
    Role – trust Policy

    JSON

    {
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
             "AWS": "*"
         },
         "Action": "sts:AssumeRole"
      }
   ]}

  4. Create a destination bucket policy (account-2).

    Destination-bucket policy:

    JSON

    {
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Set-permissions-for-objects",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::account-1-id:role/My-Role-Account-1"
         },
         "Action": [
            "s3:ReplicateObject",
            "s3:ReplicateDelete",
            "s3:ReplicateTags"
         ],
         "Resource": "arn:aws:s3:::my-replication-destination-account-2/*"
      },
      {
         "Sid": "Set permissions on bucket",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::account-1-id:role/My-Role-Account-1"
         },
         "Action": [
            "s3:List*",
            "s3:GetBucketVersioning",
            "s3:PutBucketVersioning"
         ],
         "Resource": "arn:aws:s3:::my-replication-destination-account-2"
      }
   ]}

  5. Schedule a cross-account replication job, per the criteria below.

Schedule a Cross-Account Replication Job (Without Filters)

JSON

PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

Request body:

XML

<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role>arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
   <Rule>
      <ID>Cross-acct-replication-no-filter</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Enabled</Status>
      </DeleteMarkerReplication>
      <Destination>
         <Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
         <Account>account-2-id</Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
      <Filter></Filter>
   </Rule>
</ReplicationConfiguration>


Status: 200 OK

Response body: No content

Schedule a Cross-Account Replication Job (With Filter—Prefix Alone)

The following example replicates only objects/folders that match the prefix “Office-“ condition.

JSON

PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication


Request body:

XML

<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role>arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
   <Rule>
      <ID>Cross-acct-replication-prefix-filter</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Enabled</Status>
      </DeleteMarkerReplication>
      <Destination>
         <Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
         <Account>account-2-id </Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
      <Filter>
         <Prefix>Office-</Prefix>
      </Filter>
   </Rule>
</ReplicationConfiguration>


Status: 200 OK

Response body: No content

Schedule a Cross-Account Replication Job (With Filter—Tags Alone)

The following example replicates objects that match the Tags condition.

JSON

PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

Request body:

XML

<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role> arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
   <Rule>
      <ID>Cross-acct-replication-tags-filter</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Disabled</Status>
      </DeleteMarkerReplication>
      <Destination>
         <Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
         <Account>account-2-id </Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
      <Filter>
         <And>
            <Tag>
               <Key>key2</Key>
               <Value>value2</Value>
            </Tag>
            <Tag>
               <Key>key1</Key>
               <Value>value1</Value>
            </Tag>
         </And>
      </Filter>
   </Rule>
</ReplicationConfiguration>

Status: 200 OK

Response body: No content

Schedule a Cross-Account Replication Job (With Filter—Both Prefix and Tags)

The following example replicates only objects that match the Prefix and Tags conditions.

JSON

PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

Request body:

XML

<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role> arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
   <Rule>
      <ID>Cross-acct-replication-prefix-tags-filter</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Disabled</Status>
      </DeleteMarkerReplication>
      <Destination>
         <Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
         <Account>account-2-id </Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
      <Filter>
         <And>
            <Prefix>common/</Prefix>
            <Tag>
               <Key>key2</Key>
               <Value>value2</Value>
            </Tag>
            <Tag>
               <Key>key1</Key>
               <Value>value1</Value>
            </Tag>
         </And>
      </Filter>
   </Rule>
</ReplicationConfiguration>

Status: 200 OK

Response body: No content

Replicating Existing Objects

To replicate the existing objects from the source to the destination, you need to initiate the following API only after scheduling the replication configuration.

JSON

PUT https://s3.<region>.wasabisys.com/my-source-account-1?
manifestCreateAndProcess

Request body: No content

Status: 200 OK

Response body:

XML

<?xml version="1.0" encoding="UTF-8"?>
<ManifestCreateAndProcess>jobId : f234de0f-XXXX-ABCD-bc3a-
45d4a6874b95</ManifestCreateAndProcess>

Updating the Replication Configuration

The following example updates the previous Prefix value “common/” as “private/” and updates the previous Tags key1=value1 as “key3=value3”.

JSON

PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

Request body:

XML

<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Role> arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
   <Rule>
      <ID>Cross-acct-replication-prefix-tags-filter</ID>
      <Priority>1</Priority>
      <Status>Enabled</Status>
      <DeleteMarkerReplication>
         <Status>Disabled</Status>
      </DeleteMarkerReplication>
      <Destination>
         <Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
         <Account>account-2-id </Account>
         <AccessControlTranslation>
            <Owner>Destination</Owner>
         </AccessControlTranslation>
      </Destination>
      <Filter>
         <And>
            <Prefix>private/</Prefix>
            <Tag>
               <Key>key2</Key>
               <Value>value2</Value>
            </Tag>
            <Tag>
               <Key>key3</Key>
               <Value>value3</Value>
            </Tag>
         </And>
      </Filter>
   </Rule>
</ReplicationConfiguration>

Status: 200 OK

Response body: No content

Deleting the Replication Configuration

JSON

DELETE https://s3.<region>.wasabisys.com/my-replication-source-account-1?replication

Request body: No content

Status: 204 No Content

Response body: No content