IAM Permissions Required for S3 Access

abrookewood · 11 October 2020 09:45

Hi,

Just wondering if anyone knows what specific permissions Duplicacy requires in order to work with AWS S3.

I have an IAM user with full permissions to the bucket where the backup will be (backup.xxx), but that doesn’t seem to be sufficient. In order to make it work, I had to grant read-only access (List & Get) to all buckets. I thought maybe listing all buckets would be sufficient, but it wasn’t.

Full IAM policy is:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “ListBuckets”,
“Effect”: “Allow”,
“Action”: [
“s3:List*”,
“s3:Get*”
],
“Resource”: [
“arn:aws:s3:::"
]
},
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: "”,
“Resource”: “arn:aws:s3:::backup.xxx.com”
}
]
}

Thanks in advance.

Antony

abrookewood · 11 October 2020 11:41

Actually, I was wrong. You just need full permissions to the target bucket.
I was missing the * at the end of the bucket, so correct permissions are:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “BackupBucket”,
“Effect”: “Allow”,
“Action”: “",
“Resource”: [
“arn:aws:s3:::backup.xxx.com”,
"arn:aws:s3:::backup.xxx.com”
]
}
]
}

Please mark as resolved.

77c63ae00608c1c4410e · 1 September 2021 17:33

I’ve segregated the permissions into

ListBucket (which only needs the bucket name without /*)
GetObject/PutObject (which need the /* parr).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": [
                "arn:aws:s3:::YOUR_BACKUP_BUCKET_NAME"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_BACKUP_BUCKET_NAME/*"
            ]
        }
    ]
}

This seems to work for me.