List of S3 permissions necessary use?

[colindean]

It'd be nice to have a list of permissions that are necessary for sync to work.

[withdave]

I've got it working with the following - would be good to know someone tunes it further:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SyncAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET",
                "arn:aws:s3:::BUCKET/*"
            ]
        }
    ]
}

[n1ru4l]

@withdave Your solution did not work out for me. After some research, I figured out that this is correct: #15

It would be nice if anyone here could confirm so we can add it to the README.

[tobiasfaust]

works, i´m using less grants:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::BUCKETS", "arn:aws:s3:::BUCKETS/*" ] } ] }

[withdave]

I just revisited this, sorry for the pings months later.

I think the base policy based on args: --follow-symlinks --delete needs to be (as per @tobiasfaust):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "s3actionsync",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME",
                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
            ]
        }
    ]
}

@n1ru4l - I'm not clear enough on why s3:GetBucketLocation is needed, are you using a different arg for the tool?

Then, if you're going to use the --acl public-read option for args: --acl public-read --follow-symlinks --delete, then you'll need to add in s3:PutObjectAcl so it can set individual files to public access, as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "s3actionsync",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME",
                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
            ]
        }
    ]
}

[JanRaber]

@withdave - For me s3:GetBucketLocation was also not necessary. But I had to use s3:GetObjectAcl, which is missing in your most recent comment.

@n1ru4l Thanks for adding this to the README (#15). Hopefully @jakejarvis will merge this at some point, would've definitely saved me some time.

[gairik]

Works without DeleteObject also
{ "Version": "2012-10-17", "Statement": [ { "Sid": "s3actionsync", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObjectAcl", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME", "arn:aws:s3:::YOUR_BUCKET_NAME/*" ] } ] }

[andre-lx]

@gairik works if you are not using the flag --delete

[benjiwright]

Was this the wrong approach?

1. create a new IAM user/group with programmatic access to S3
2. create bucket policy with new IAM user's arn as the principal to the S3 resource