Bucket-level cross-account replication enables you to utilize resources in different buckets across Wasabi account(s) for your web applications.
Scheduling a Cross-Account Replication Job
Create a source bucket on account-1 and a destination bucket on account-2.
Source-bucket : my-replication-source-account-1
Source-bucket-arn: arn:aws:s3:::my-replication-source-account-1
Destination – bucket: my-replication-destination-account-2
Destination-bucket-arn: arn:aws:s3:::my-replication-destination-account-2
Make sure both the source and destination buckets match the same bucket-property while scheduling the replication configuration.
Non-versioned source —> Non-versioned destination
Versioned source —> Versioned destinationCreate an IAM policy in account-1.
Policy: My-Policy-Account-1
Policy-Document:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetReplicationConfiguration", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging", "s3:GetObjectRetention", "s3:GetObjectLegalHold" ], "Resource": [ "arn:aws:s3:::my-replication-source-account-1", "arn:aws:s3:::my-replication-source-account-1/*", "arn:aws:s3:::my-replication-destination-account-2", "arn:aws:s3:::my-replication-destination-account-2/*" ] }, { "Effect": "Allow", "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags" ], "Resource": [ "arn:aws:s3:::my-replication-source-account-1/*", "arn:aws:s3:::my-replication-destination-account-2/*" ] } ]}Create a role and attach the IAM policy (account-1).
Role: My-Role-Account-1
Role-Arn: arn:aws:iam::account-1-id:role/My-Role-Account-1
Role – trust Policy{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole" } ]}Create a destination bucket policy (account-2).
Destination-bucket policy:{ "Version": "2012-10-17", "Statement": [ { "Sid": "Set-permissions-for-objects", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-1-id:role/My-Role-Account-1" }, "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags" ], "Resource": "arn:aws:s3:::my-replication-destination-account-2/*" }, { "Sid": "Set permissions on bucket", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-1-id:role/My-Role-Account-1" }, "Action": [ "s3:List*", "s3:GetBucketVersioning", "s3:PutBucketVersioning" ], "Resource": "arn:aws:s3:::my-replication-destination-account-2" } ]}Schedule a cross-account replication job, per the criteria below.
Schedule a Cross-Account Replication Job (Without Filters)
PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replicationRequest body:
<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Role>arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
<Rule>
<ID>Cross-acct-replication-no-filter</ID>
<Priority>1</Priority>
<Status>Enabled</Status>
<DeleteMarkerReplication>
<Status>Enabled</Status>
</DeleteMarkerReplication>
<Destination>
<Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
<Account>account-2-id</Account>
<AccessControlTranslation>
<Owner>Destination</Owner>
</AccessControlTranslation>
</Destination>
<Filter></Filter>
</Rule>
</ReplicationConfiguration>
Status: 200 OK
Response body: No content
Schedule a Cross-Account Replication Job (With Filter—Prefix Alone)
The following example replicates only objects/folders that match the prefix “Office-“ condition.
PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replicationRequest body:
<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Role>arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
<Rule>
<ID>Cross-acct-replication-prefix-filter</ID>
<Priority>1</Priority>
<Status>Enabled</Status>
<DeleteMarkerReplication>
<Status>Enabled</Status>
</DeleteMarkerReplication>
<Destination>
<Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
<Account>account-2-id </Account>
<AccessControlTranslation>
<Owner>Destination</Owner>
</AccessControlTranslation>
</Destination>
<Filter>
<Prefix>Office-</Prefix>
</Filter>
</Rule>
</ReplicationConfiguration>
Status: 200 OK
Response body: No content
Schedule a Cross-Account Replication Job (With Filter—Tags Alone)
The following example replicates objects that match the Tags condition.
PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replicationRequest body:
<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Role> arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
<Rule>
<ID>Cross-acct-replication-tags-filter</ID>
<Priority>1</Priority>
<Status>Enabled</Status>
<DeleteMarkerReplication>
<Status>Disabled</Status>
</DeleteMarkerReplication>
<Destination>
<Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
<Account>account-2-id </Account>
<AccessControlTranslation>
<Owner>Destination</Owner>
</AccessControlTranslation>
</Destination>
<Filter>
<And>
<Tag>
<Key>key2</Key>
<Value>value2</Value>
</Tag>
<Tag>
<Key>key1</Key>
<Value>value1</Value>
</Tag>
</And>
</Filter>
</Rule>
</ReplicationConfiguration>Status: 200 OK
Response body: No content
Schedule a Cross-Account Replication Job (With Filter—Both Prefix and Tags)
The following example replicates only objects that match the Prefix and Tags conditions.
PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replicationRequest body:
<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Role> arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
<Rule>
<ID>Cross-acct-replication-prefix-tags-filter</ID>
<Priority>1</Priority>
<Status>Enabled</Status>
<DeleteMarkerReplication>
<Status>Disabled</Status>
</DeleteMarkerReplication>
<Destination>
<Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
<Account>account-2-id </Account>
<AccessControlTranslation>
<Owner>Destination</Owner>
</AccessControlTranslation>
</Destination>
<Filter>
<And>
<Prefix>common/</Prefix>
<Tag>
<Key>key2</Key>
<Value>value2</Value>
</Tag>
<Tag>
<Key>key1</Key>
<Value>value1</Value>
</Tag>
</And>
</Filter>
</Rule>
</ReplicationConfiguration>Status: 200 OK
Response body: No content
Replicating Existing Objects
To replicate the existing objects from the source to the destination, you need to initiate the following API only after scheduling the replication configuration.
PUT https://s3.<region>.wasabisys.com/my-source-account-1?
manifestCreateAndProcessRequest body: No content
Status: 200 OK
Response body:
<?xml version="1.0" encoding="UTF-8"?>
<ManifestCreateAndProcess>jobId : f234de0f-XXXX-ABCD-bc3a-
45d4a6874b95</ManifestCreateAndProcess>Updating the Replication Configuration
The following example updates the previous Prefix value “common/” as “private/” and updates the previous Tags key1=value1 as “key3=value3”.
PUT https://s3.<region>.wasabisys.com/my-replication-source-account-1?replicationRequest body:
<?xml version="1.0" encoding="UTF-8"?>
<ReplicationConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Role> arn:aws:iam::account-1-id:role/My-Role-Account-1</Role>
<Rule>
<ID>Cross-acct-replication-prefix-tags-filter</ID>
<Priority>1</Priority>
<Status>Enabled</Status>
<DeleteMarkerReplication>
<Status>Disabled</Status>
</DeleteMarkerReplication>
<Destination>
<Bucket>arn:aws:s3:::my-replication-destination-account-2</Bucket>
<Account>account-2-id </Account>
<AccessControlTranslation>
<Owner>Destination</Owner>
</AccessControlTranslation>
</Destination>
<Filter>
<And>
<Prefix>private/</Prefix>
<Tag>
<Key>key2</Key>
<Value>value2</Value>
</Tag>
<Tag>
<Key>key3</Key>
<Value>value3</Value>
</Tag>
</And>
</Filter>
</Rule>
</ReplicationConfiguration>Status: 200 OK
Response body: No content
Deleting the Replication Configuration
DELETE https://s3.<region>.wasabisys.com/my-replication-source-account-1?replicationRequest body: No content
Status: 204 No Content
Response body: No content