Copy Object

Copy an object into a specified bucket in AWS S3.

Note

Objects cannot be copied between buckets that are created in different regions.

Options

Field Definition Type Required
Region Region for your AWS S3 bucket. Choose a region for your AWS S3 bucket. Dropdown TRUE
Canned ACL Canned Access Control List (ACL) to apply to the object.Choose an option from the dropdown.

If None is selected from the dropdown, the following input fields are generated:

  • Grant Full Control

  • Grant Read

  • Grant Read ACP

  • Grant Write ACP

If None is not selected from the dropdown, input fields listed above are not generated and the selected canned ACL is applied to the uploaded object.

Dropdown TRUE

Input

Field Definition Type Required
Source
Bucket Name of the source bucket. String TRUE
Key Key of the source object. String TRUE
Version ID Unique version ID of the current version of an object to copy. If left empty, the most recent object version is copied. If the version ID value is null, enter the string null as input. String FALSE
Server Side Encryption Customer Algorithm Specifies the algorithm to use to when encrypting the object.

For example: AES256.

String FALSE
Server Side Encryption Customer Key Specifies the customer-provided encryption key for AWS S3 to use to decrypt the source object. The encryption key provided in this header must be one that was used when the source object was created. String FALSE
Server Side Encryption Customer Key MD5 Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. String FALSE
Expected Bucket Owner Account ID of the expected source bucket owner. If the source bucket is owned by a different account, the request will fail with an HTTP 403 (Access Denied) error. String FALSE
If Match Copies the object if its entity tag (ETag) matches the specified tag. String FALSE
If Modified Since Copies the object if it has been modified since the specified time.

For example: Fri, 14 Jan 2022 23:34:36 GMT.

String FALSE
If None Match Copies object if its ETag is different than the specified ETag. String FALSE
If Unmodified Since Copies the object if it hasn't been modified since the specified time.

For example: Fri, 14 Jan 2022 23:34:36 GMT.

String FALSE
Destination
Bucket Name of the destination bucket. String TRUE
Key Key of the destination object. Minimum length of 1. String TRUE
Grant Full Control Allows grantee the read, write, read ACP, and write ACP permissions on the object. Only generated if None is selected for param Canned ACL.
  • ID: if the value specified is the canonical user ID of an AWS account

  • URI: if you are granting permissions to a predefined group

  • Email address: if the value specified is the email address of an AWS account.

For example, ID=11112222333

List of Strings FALSE
Grant Read Allows grantee to read the object data and its metadata. Only generated if None is selected for param Canned ACL.
  • ID: if the value specified is the canonical user ID of an AWS account
  • URI: if you are granting permissions to a predefined group

  • Email address: if the value specified is the email address of an AWS account.

For example, ID=11112222333

List of Strings FALSE
Grant Read ACP Allows grantee to read the object ACL. Only generated if None is selected from Canned ACL.
    ID: if the value specified is the canonical user ID of an AWS account
  • URI: if you are granting permissions to a predefined group

  • Email address: if the value specified is the email address of an AWS account.

For example, ID=11112222333

List of Strings FALSE
Grant Write ACP Allows grantee to write the ACL for the applicable object. Only generated if None is selected from Canned ACL.
    ID: if the value specified is the canonical user ID of an AWS account
  • URI: if you are granting permissions to a predefined group

  • Email address: if the value specified is the email address of an AWS account.

For example, ID=11112222333

List of Strings FALSE
Metadata Directive Specifies whether the metadata is copied from the source object or replaced with metadata provided in the request.

Possible Values:

  • Copy

  • Replace

Dropdown FALSE
Object Lock Legal Hold Specifies whether you want to apply a Legal Hold to the copied object.

Possible Values:

  • On

  • Off

Dropdown FALSE
Content MD5 Base64-encoded 128-bit MD5 digest of the message, without the headers, according to RFC 1864. Input is used as a message integrity check to verify that the data is the same data that was originally sent. For more information about REST request authentication, see REST Authentication. Used in conjunction with input field Object Lock Legal Hold. String FALSE
Object Lock Mode Object Lock mode that you want to apply to the copied object.

Possible Values:

  • Governance

  • Compliance

Dropdown FALSE
Object Lock Retain Until Date Date and time when you want the copied object's Object Lock to expire. String FALSE
Request Payer Confirms that the requester knows that they will be charged for the request. Dropdown FALSE
Server Side Encryption Server-side encryption algorithm used when storing this object in AWS S3.

Possible Values:

  • AES256

  • aws:kms

Dropdown FALSE
Server Side Encryption AWS KMS Key ID Specifies the AWS KMS key ID to use for object encryption. String FALSE
Server Side Encryption Bucket Key Enabled True if AWS S3 should use an S3 Bucket Key for object encryption with server-side encryption using AWS KMS (SSE-KMS); otherwise False.

Setting this header to true causes AWS S3 to use an S3 Bucket Key for object encryption with SSE-KMS.

Boolean FALSE
Server Side Encryption Context Specifies the AWS KMS Encryption Context to use for object encryption. The value of this header is a base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs. String FALSE
Server Side Encryption Customer Algorithm Specifies the algorithm to use to when encrypting the object.

For example, AES256.

String FALSE
Server Side Encryption Customer Key Specifies the customer-provided encryption key for AWS S3 to use in encrypting data. This value is used to store the object and then it is discarded; AWS S3 does not store the encryption key. String FALSE
Server Side Encryption Customer Key MD5 Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. String FALSE
Expected Bucket Owner Account ID of the expected source bucket owner. If the source bucket is owned by a different account, the request will fail with an HTTP 403 (Access Denied) error. String FALSE
Storage Class By default, AWS S3 uses the Standard Storage Class to store newly created objects. The Standard storage class provides high durability and high availability.

Possible Values:

  • Standard: Default storage class.

  • Reduced Redundancy: designed for noncritical, reproducible data that can be stored with less redundancy than the S3 Standard storage class.

  • Standard IA: AWS S3 stores the object data redundantly across multiple geographically separated Availability Zones.

  • Onezone IA: Recreatable, infrequently accessed data (once a month) with millisecond access.

  • Intelligent Tiering: Data with unknown, changing, or unpredictable access patterns

  • Glacier: Long-lived, archive data accessed once a quarter with millisecond access.

  • Deep Archive: Long-lived archive data accessed less than once a year with retrieval times of hours.

  • Outposts: Use the same APIs and features on AWS Outposts as you do on AWS S3, including access policies, encryption, and tagging.

Dropdown FALSE
Tagging Directive Specifies whether the object tag-set are copied from the source object or replaced with tag-set provided in the request.

Possible Values:

  • Copy

  • Replace

Dropdown FALSE
Tagging Tag-set for the object destination object this value must be used in conjunction with the Tagging Directive. String FALSE
Website Redirect Location If the bucket is configured as a website, redirects requests for this object to another object in the same bucket or to an external URL. String FALSE

Output

Field Definition Type
Response
Version ID Unique version ID of the newly created copy. String
Source Version ID Version of the copied object in the destination bucket. String
Server Side Encryption Server-side encryption algorithm used when storing this object in AWS S3. String
Server Side Encryption AWS KMS Key ID Specifies the he ID of the AWS Key Management Service (AWS KMS) symmetric customer managed key that was used for the object. String
Server Side Encryption Bucket Key Enabled Indicates whether the copied object uses an S3 Bucket Key for server-side encryption with AWS KMS (SSE-KMS). String
Server Side Encryption Context Specifies the AWS KMS Encryption Context to use for object encryption. String
Server Side Encryption Customer Algorithm If server-side encryption with a customer-provided encryption key was requested, the response will include this header confirming the encryption algorithm used. String
Server Side Encryption Customer Key MD5 If server-side encryption with a customer-provided encryption key was requested, the response will include this header to provide round-trip message integrity verification of the customer-provided encryption key. String
Request Charged Indicates that the requester was successfully charged for the request.

Possible Value:Requester

String
Last Modified Creation date of the object. Number
ETag Returns the ETag of the new object. The ETag reflects only changes to the contents of an object, not its metadata. String

Related topics

AWS S3 connector

About the elements of Okta Workflows

AWS S3 Rest API overview