I have backups in Amazon S3 which I want to share with another party but limit their access to read-only - list snapshots, restore from a snapshot.
I can add a secondary password (via key add) and provide that to the other party however there doesn’t seem to be any access control here.
I’ve tried adding a secondary IAM user (to be used with the secondary password) and adjusted IAM policies to block write access. However restic fails with an error:
$ restic -v -r s3://s3.amazonaws.com/my-bucket snapshots
enter password for repository:
repository 0fc99253 opened (version 2, compression level auto)
created new cache in /home/atodorov/.cache/restic
Save(<lock/5775d0aa83>) failed: client.PutObject: User: arn:aws:iam::694552342904:user/ read-only is not authorized to perform: s3:PutObject on resource: "arn:aws:s3:::my-bucket/locks/5775d0aa83db9761ffe0aa370a6f7404d08bfb67bdab3bb1e0b92690ad14bb4c" because no identity-based policy allows the s3:PutObject action
It looks like even list/read operations are actually writing files.
Is read-only access even possible ?