Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

List of S3 permissions necessary use? #10

Open
colindean opened this issue Nov 10, 2019 · 8 comments · May be fixed by #15
Open

List of S3 permissions necessary use? #10

colindean opened this issue Nov 10, 2019 · 8 comments · May be fixed by #15

Comments

@colindean
Copy link

@colindean colindean commented Nov 10, 2019

It'd be nice to have a list of permissions that are necessary for sync to work.

@withdave
Copy link

@withdave withdave commented Nov 16, 2019

I've got it working with the following - would be good to know someone tunes it further:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SyncAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET",
                "arn:aws:s3:::BUCKET/*"
            ]
        }
    ]
}

bwbaugh added a commit to bwbaugh/ilovesushi that referenced this issue Dec 28, 2019
@n1ru4l n1ru4l linked a pull request Jan 22, 2020 that will close this issue
@n1ru4l
Copy link

@n1ru4l n1ru4l commented Jan 22, 2020

@withdave Your solution did not work out for me. After some research, I figured out that this is correct: #15

It would be nice if anyone here could confirm so we can add it to the README.

@tobiasfaust
Copy link

@tobiasfaust tobiasfaust commented May 18, 2020

works, i´m using less grants:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::BUCKETS", "arn:aws:s3:::BUCKETS/*" ] } ] }

@withdave
Copy link

@withdave withdave commented Aug 10, 2020

I just revisited this, sorry for the pings months later.

I think the base policy based on args: --follow-symlinks --delete needs to be (as per @tobiasfaust):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "s3actionsync",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME",
                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
            ]
        }
    ]
}

@n1ru4l - I'm not clear enough on why s3:GetBucketLocation is needed, are you using a different arg for the tool?

Then, if you're going to use the --acl public-read option for args: --acl public-read --follow-symlinks --delete, then you'll need to add in s3:PutObjectAcl so it can set individual files to public access, as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "s3actionsync",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME",
                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
            ]
        }
    ]
}

@JanRaber
Copy link

@JanRaber JanRaber commented Oct 13, 2020

@withdave - For me s3:GetBucketLocation was also not necessary. But I had to use s3:GetObjectAcl, which is missing in your most recent comment.

@n1ru4l Thanks for adding this to the README (#15). Hopefully @jakejarvis will merge this at some point, would've definitely saved me some time.

@gairik
Copy link

@gairik gairik commented Feb 2, 2021

Works without DeleteObject also
{ "Version": "2012-10-17", "Statement": [ { "Sid": "s3actionsync", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObjectAcl", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME", "arn:aws:s3:::YOUR_BUCKET_NAME/*" ] } ] }

@andre-lx
Copy link

@andre-lx andre-lx commented Mar 5, 2021

@gairik works if you are not using the flag --delete

@benjiwright
Copy link

@benjiwright benjiwright commented Mar 9, 2021

Was this the wrong approach?

  1. create a new IAM user/group with programmatic access to S3
  2. create bucket policy with new IAM user's arn as the principal to the S3 resource

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants