What is the minimal IAM permission to run s3_data_store?

[dlibanori]

• s3:GetObject
• s3:PutObject
• s3:DeleteObject

Is that all?

[nashbridges]

Here's what permissions you might need:

Reading

• s3:GetObject

Writing

• s3:PutObject
• s3:GetBucketLocation (for bucket_exists?. And make sure the bucket exists, otherwise there will be attempt to create it, which needs s3:CreateBucket)
• s3:PutObjectAcl (if you agree with default 'x-amz-acl' => 'public-read', otherwise do not provide the permission and change :storage_headers instead)

Deleting

• s3:DeleteObject

[andrewgarner]

After some trial and error I managed to get it working with the following permissions:

• s3:GetBucketLocation
• s3:GetObject
• s3:GetObjectAcl
• s3:PutObject
• s3:PutObjectAcl
• s3:DeleteObject

[duckworth]

I am also struggling with the actual minimal IAM permissions. I am seeing a ton of 403 forbidden errors getting generated by this library and it appears to be due to the storage.sync_clock which calls ListBuckets on S3 ( a GET /) for which the IAM user does not have permissions.

Any thoughts on making sync_clock optional or use an operation the IAM user has permissions for to achieve it (it appears to ignore the error and just parse the response headers Date anyway)?