s3-sync-action icon indicating copy to clipboard operation
s3-sync-action copied to clipboard
verified publisher icon jakejarvis

List of S3 permissions necessary use?

Open colindean opened this issue 6 years ago • 8 comments

It'd be nice to have a list of permissions that are necessary for sync to work.

colindean avatar Nov 10 '19 01:11 colindean

I've got it working with the following - would be good to know someone tunes it further:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SyncAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET",
                "arn:aws:s3:::BUCKET/*"
            ]
        }
    ]
}

withdave avatar Nov 16 '19 23:11 withdave

@withdave Your solution did not work out for me. After some research, I figured out that this is correct: https://github.com/jakejarvis/s3-sync-action/pull/15

It would be nice if anyone here could confirm so we can add it to the README.

n1ru4l avatar Jan 22 '20 07:01 n1ru4l

works, i´m using less grants: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::BUCKETS", "arn:aws:s3:::BUCKETS/*" ] } ] }

tobiasfaust avatar May 18 '20 12:05 tobiasfaust

I just revisited this, sorry for the pings months later.

I think the base policy based on args: --follow-symlinks --delete needs to be (as per @tobiasfaust):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "s3actionsync",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME",
                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
            ]
        }
    ]
}

@n1ru4l - I'm not clear enough on why s3:GetBucketLocation is needed, are you using a different arg for the tool?

Then, if you're going to use the --acl public-read option for args: --acl public-read --follow-symlinks --delete, then you'll need to add in s3:PutObjectAcl so it can set individual files to public access, as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "s3actionsync",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME",
                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
            ]
        }
    ]
}

withdave avatar Aug 10 '20 19:08 withdave

@withdave - For me s3:GetBucketLocation was also not necessary. But I had to use s3:GetObjectAcl, which is missing in your most recent comment.

@n1ru4l Thanks for adding this to the README (#15). Hopefully @jakejarvis will merge this at some point, would've definitely saved me some time.

JanRaber avatar Oct 13 '20 09:10 JanRaber

Works without DeleteObject also { "Version": "2012-10-17", "Statement": [ { "Sid": "s3actionsync", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObjectAcl", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME", "arn:aws:s3:::YOUR_BUCKET_NAME/*" ] } ] }

gairik avatar Feb 02 '21 15:02 gairik

@gairik works if you are not using the flag --delete

andre-lx avatar Mar 05 '21 18:03 andre-lx

Was this the wrong approach?

  1. create a new IAM user/group with programmatic access to S3
  2. create bucket policy with new IAM user's arn as the principal to the S3 resource

benjiwright avatar Mar 09 '21 20:03 benjiwright