Copying Objects

This topic describes how to copy objects in Object Storage. You can copy objects to other buckets in the same region and to buckets in other regions.

Required IAM Policies

To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.

If you're new to policies, see Getting Started with Policies and Common Policies.

Caution

Object copy does not work if you do not authorize the Object Storage service to copy objects on your behalf. See Service Permissions for more information.

User Permissions

You must have the required access to both the source and destination buckets when performing an object copy. You must also have permissions to manage objects in the source and destination buckets.

For administrators:

You can create a policy that lets the specified IAM group manage Object Storage namespaces, buckets, and their associated objects in all compartments in the tenancy:
```
Allow group <IAM_group_name> to manage object-family in tenancy
```
Alternatively, you can create policies that reduce the scope of access. For example, to let the specified group manage only buckets and objects in a particular compartment in the tenancy:
```
Allow group <IAM_group_name> to manage buckets in compartment <compartment_name>
```

For more information about other alternatives for writing policies, see Details for Object Storage, Archive Storage, and Data Transfer.

Service Permissions

Because Object Storage is a regional service, you must authorize the Object Storage service for each region carrying out copy operations on your behalf. For example, you might authorize the Object Storage service in region US East (Ashburn) to manage objects on your behalf. After you authorize the Object Storage service, you can copy an object stored in a US East (Ashburn) bucket to a bucket in another region.

To determine the region identifier value of an Oracle Cloud Infrastructure region, see Regions and Availability Domains.

For administrators:

To enable object copy, you must authorize the service to manage objects on your behalf:

You can create a policy that authorizes the service in the specified region to manage Object Storage namespaces, buckets, and their associated objects in all compartments in the tenancy:
```
Allow service objectstorage-<region_identifier> to manage object-family in tenancy
```

Instead of using the policy verb manage, you can create a policy that reduces the scope of access by instead using one of the following statements:

Allow service objectstorage-<region_identifier> to manage object-family in tenancy where any {request.permission='OBJECT_READ', request.permission='OBJECT_INSPECT', request.permission='OBJECT_CREATE', request.permission='OBJECT_OVERWRITE', request.permission='OBJECT_DELETE'}

Allow service objectstorage-<region_identifier> to manage object-family in compartment <compartment_name> where any {request.permission='OBJECT_READ', request.permission='OBJECT_INSPECT', request.permission='OBJECT_CREATE', request.permission='OBJECT_OVERWRITE', request.permission='OBJECT_DELETE'}

Copy Object Work Requests

The Object Storage service handles copy requests asynchronously. The service creates a queue for copy requests, and then processes the requests when system resources become available. To provide visibility for in-progress copy operations, Object Storage creates a work request. You can track the progress of the copy operation by monitoring the status of the work request.

The work request statuses are:

ACCEPTED

The copy request is in the work request queue to be processed.

IN_PROGRESS

The object copy is in progress.

COMPLETED

The copy operation has successfully completed.

CANCELING

The copy request is in the process of being canceled.

CANCELED

The copy request has been canceled.

FAILED

The copy operation has failed. Work requests that do not complete because of overwrite rules or insufficient user authorizations are assigned the failed status.

You can determine the reason a copy failed in the following ways:

To use the CLI, see Obtaining the Details of a Failed Copy Work Request.
To use the API, see ListWorkRequestErrors.

Copy Object Overwrite Rules

Use overwrite rules to control the copying of objects based on their entity tag (ETag) values.

Overwrite destination object: Use this option when you do not want to limit a copy operation by an ETag value. This option is the default. This option can be used for any copy operation, regardless of whether it involves overwriting an existing object.
Do not overwrite any destination object: Use this option to prevent the overwriting an existing copy of an object in the destination location, regardless of the destination object's ETag value.
Overwrite destination object only if it matches the specified ETag: Use this option to prevent the accidental overwriting of an object in the destination location that does not have the specified ETag. When you use this option, the copy operation only succeeds if the ETag you supply when initiating the copy request matches the ETag of the destination object.
Copy object only if the source matches the specified ETag: Use this option if you want the copy operation successful only if the ETag you supply when initiating the copy request matches the ETag of the source object. For objects that are intentionally updated and overwritten as part of data management activity, this option ensures that only the specified version of the object (as indicated by the ETag) is allowed to be copied. If the object's ETag value changes after the copy work request is created, but before the copy operation is run, the copy operation will not complete.

Caution

If you overwrite an object, the operation cannot be undone.

Scope and Constraints

Objects cannot be copied directly from Archive Storage. To copy objects that are currently in Archive Storage, you must first restore the object to the Standard Object Storage tier. Objects can be copied directly to Archive tier buckets from the Standard or Infrequent Access tiers. When you copy objects into an Archive Storage bucket, the copy of the object is immediately archived.
Specify an existing target bucket for the copy request. The copy operation does not automatically create buckets.
When an object is copied, the destination object receives a new ETag value.
If you rename, overwrite, or delete a source object during a copy operation, the copy operation fails and the destination object is not created or overwritten.
Bulk copying is not supported. Identify a single object in the copy request.