You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think it would be very helpful to document the S3 policy permissions that are required to use the NIO provider in an ECS or EC2 environment. In particular, it turns out that it's not enough to grant the standard s3:ListBucket, s3:PutObject, s3:GetObject actions. The provider requests ACL information for bucket objects, so we are having to add s3:GetObjectAcl and s3:GetBucketAcl permissions as well, even if all we are doing with the provider is walking the directory tree and enumerating files. This wasn't obvious at all, and required enabling debug logging at the http wire level to see what was going on, and even then it took a sharp-eyed developer to notice the ?acl request in the HTTP GETs.
This may be related to #106... When the NIO client doesn't need to provide Acl info, the NIO provider shouldn't require Acl permissions.
The text was updated successfully, but these errors were encountered:
I think it would be very helpful to document the S3 policy permissions that are required to use the NIO provider in an ECS or EC2 environment. In particular, it turns out that it's not enough to grant the standard
s3:ListBucket
,s3:PutObject
,s3:GetObject
actions. The provider requests ACL information for bucket objects, so we are having to adds3:GetObjectAcl
ands3:GetBucketAcl
permissions as well, even if all we are doing with the provider is walking the directory tree and enumerating files. This wasn't obvious at all, and required enabling debug logging at the http wire level to see what was going on, and even then it took a sharp-eyed developer to notice the ?acl request in the HTTP GETs.This may be related to #106... When the NIO client doesn't need to provide Acl info, the NIO provider shouldn't require Acl permissions.
The text was updated successfully, but these errors were encountered: